deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Andraschko <andraschko.tho...@gmail.com>
Subject Re: Re: POST parameter will be added to URL in some cases
Date Thu, 23 Apr 2015 09:29:16 GMT
Hi,

ok, i see.
So the request is also an GET request and logic from DS is actually ok.

@Gerhard
Any idea how we could implement such an exclude feature?

Regards,
Thomas

2015-04-23 11:09 GMT+02:00 <bulau@dakosy.de>:

> Hi,
>
> I unterstand the reason why you need to keep the get parameters during the
> redirect, but why the post parameter will be handled in the same way?
>
> If I send the login form, a POST request will be send to
> "j_security_check". The HTTP response is a 302 (Moved Temporarily)
> containing the URL "
>
> http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid
> =76" as location attribute. After that response, the browser send a GET
> request to the URL from the location attribute.
>
> It seems that externalContext.getRequestParameterValuesMap() (that is used
> in JsfUtils#addRequestParameters) contains both POST and GET parameters.
>
> Is there any way to disable the redirect for particular pages?
>
> Regards,
> Marco
>
>
>
> Von:
> Thomas Andraschko <andraschko.thomas@gmail.com>
> An:
> users@deltaspike.apache.org,
> Datum:
> 23.04.2015 09:59
> Betreff:
> Re: POST parameter will be added to URL in some cases
>
>
>
> Hi,
>
> thats actually how the LAZY mode works. The feature is called "initial
> redirect".
> We need to add all get params here because if you open e.g.
> /index.xhtml?userId=1, we do a redirect to the same url with a new dswid.
> If we would not collect all get params, the userId will be lost.
>
> Don't know what JAAS exactly does. Can you give me some input? I don't
> think that we currently skip the initial redirect on a post. I'm also not
> sure if it's good in all cases to skip it on a post.
>
> Regards,
> Thomas
>
> 2015-04-23 8:04 GMT+02:00 <bulau@dakosy.de>:
>
> > Hi Thomas,
> >
> > I've checked and found out that the parameters will be added in
> > "JsfUtils.addRequestParameters(externalContext, url, true);" within the
> > method ClientWindowHelper#handleInitialRedirect.
> >
> > Regards
> > Marco
> >
> >
> >
> > An:
> > users@deltaspike.apache.org
> > Betreff:
> > Re: POST parameter will be added to URL in some cases
> > Hi,
> >
> > please debug ClientWindowHelper#handleInitialRedirect and check if the
> > j_password/j_username will be appended there and come back.
> >
> > Regards,
> > Thomas
> >
> > 2015-04-22 15:44 GMT+02:00 <bulau@dakosy.de>:
> >
> > > Hello,
> > > we are using DeltaSpike in a web application, that is secured by JAAS,
> > > running on EAP 6.x. The login form sends a POST request to
> > > "j_security_check". If the login fails due to wrong username/password,
> > the
> > > user will be redirect to a login error page configured as "
> > > form-error-page" in web.xml. In this case, the URL looks like
> > > "
> > >
> >
> >
>
> example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159
> > > ".
> > > The parameters j_username and j_password are added as GET parameters
> to
> > > URL containing the values in plaintext.
> > > If I remove DeltaSpike from the project, the URL looks like
> > > "example.com/webapp/userLoginError.xhtml" without the parameters
> > > j_username and j_password .
> > > After login successfully, this problem doesn't occurs again if a POST
> > > request was made on a secured page.
> > > From my point of view it looks like a bug in DeltaSpike, because
> > > DeltaSpike should only handle the parameter dswid and no other
> GET/POST
> > > parameters.
> > > Can you confirm or do you have any advice how can I prevent it?
> > > Thank you very much in advance.
> > > Best regards
> > > Marco
> >
> >
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message