deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bu...@dakosy.de
Subject Antwort: Re: POST parameter will be added to URL in some cases
Date Thu, 23 Apr 2015 09:09:32 GMT
Hi,

I unterstand the reason why you need to keep the get parameters during the 
redirect, but why the post parameter will be handled in the same way?

If I send the login form, a POST request will be send to 
"j_security_check". The HTTP response is a 302 (Moved Temporarily) 
containing the URL "
http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid
=76" as location attribute. After that response, the browser send a GET 
request to the URL from the location attribute.

It seems that externalContext.getRequestParameterValuesMap() (that is used 
in JsfUtils#addRequestParameters) contains both POST and GET parameters.

Is there any way to disable the redirect for particular pages? 

Regards,
Marco



Von:
Thomas Andraschko <andraschko.thomas@gmail.com>
An:
users@deltaspike.apache.org, 
Datum:
23.04.2015 09:59
Betreff:
Re: POST parameter will be added to URL in some cases



Hi,

thats actually how the LAZY mode works. The feature is called "initial
redirect".
We need to add all get params here because if you open e.g.
/index.xhtml?userId=1, we do a redirect to the same url with a new dswid.
If we would not collect all get params, the userId will be lost.

Don't know what JAAS exactly does. Can you give me some input? I don't
think that we currently skip the initial redirect on a post. I'm also not
sure if it's good in all cases to skip it on a post.

Regards,
Thomas

2015-04-23 8:04 GMT+02:00 <bulau@dakosy.de>:

> Hi Thomas,
>
> I've checked and found out that the parameters will be added in
> "JsfUtils.addRequestParameters(externalContext, url, true);" within the
> method ClientWindowHelper#handleInitialRedirect.
>
> Regards
> Marco
>
>
>
> An:
> users@deltaspike.apache.org
> Betreff:
> Re: POST parameter will be added to URL in some cases
> Hi,
>
> please debug ClientWindowHelper#handleInitialRedirect and check if the
> j_password/j_username will be appended there and come back.
>
> Regards,
> Thomas
>
> 2015-04-22 15:44 GMT+02:00 <bulau@dakosy.de>:
>
> > Hello,
> > we are using DeltaSpike in a web application, that is secured by JAAS,
> > running on EAP 6.x. The login form sends a POST request to
> > "j_security_check". If the login fails due to wrong username/password,
> the
> > user will be redirect to a login error page configured as "
> > form-error-page" in web.xml. In this case, the URL looks like
> > "
> >
>
> 
example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159
> > ".
> > The parameters j_username and j_password are added as GET parameters 
to
> > URL containing the values in plaintext.
> > If I remove DeltaSpike from the project, the URL looks like
> > "example.com/webapp/userLoginError.xhtml" without the parameters
> > j_username and j_password .
> > After login successfully, this problem doesn't occurs again if a POST
> > request was made on a secured page.
> > From my point of view it looks like a bug in DeltaSpike, because
> > DeltaSpike should only handle the parameter dswid and no other 
GET/POST
> > parameters.
> > Can you confirm or do you have any advice how can I prevent it?
> > Thank you very much in advance.
> > Best regards
> > Marco
>
>



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message