deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bu...@dakosy.de
Subject Antwort: Re: Re: Re: POST parameter will be added to URL in some cases
Date Thu, 23 Apr 2015 11:29:26 GMT
Yes, I will crate an issue. I think you mean that the initial redirect 
will be restricted to GET requests, or not?

Regards,
Marco




Von:
Thomas Andraschko <andraschko.thomas@gmail.com>
An:
users@deltaspike.apache.org, 
Datum:
23.04.2015 13:11
Betreff:
Re: Re: Re: POST parameter will be added to URL in some cases



Restrict to GET params sounds good.
Could you please create a issue Marco?

2015-04-23 12:25 GMT+02:00 Gerhard Petracek <gerhard.petracek@gmail.com>:

> @thomas:
> we could introduce a parameter-filter and provide a (deactivatable)
> implementation which is aware of jaas
> or we just restrict the initial redirect to get-requests as we did it in
> codi.
>
> regards,
> gerhard
>
>
>
> 2015-04-23 11:43 GMT+02:00 <bulau@dakosy.de>:
>
> > Hi,
> >
> > probably the logic from DeltaSpike is ok, but is there no way to 
differ
> > POST and GET parameters in JsfUtils#addRequestParameters.
> >
> > If I don't use DeltaSpike, the response of the POST request to
> > "j_security_check" is the content of "userLoginError.xhtml". If I use
> > DeltaSpike, the response of the POST request is the URL to
> > "userLoginError.xhtml" already containing the POST parameters, the GET
> > request after it is correct, of course.
> >
> > Regards,
> > Marco
> >
> >
> >
> >
> > Von:
> > Thomas Andraschko <andraschko.thomas@gmail.com>
> > An:
> > users@deltaspike.apache.org,
> > Datum:
> > 23.04.2015 11:30
> > Betreff:
> > Re: Re: POST parameter will be added to URL in some cases
> >
> >
> >
> > Hi,
> >
> > ok, i see.
> > So the request is also an GET request and logic from DS is actually 
ok.
> >
> > @Gerhard
> > Any idea how we could implement such an exclude feature?
> >
> > Regards,
> > Thomas
> >
> > 2015-04-23 11:09 GMT+02:00 <bulau@dakosy.de>:
> >
> > > Hi,
> > >
> > > I unterstand the reason why you need to keep the get parameters 
during
> > the
> > > redirect, but why the post parameter will be handled in the same 
way?
> > >
> > > If I send the login form, a POST request will be send to
> > > "j_security_check". The HTTP response is a 302 (Moved Temporarily)
> > > containing the URL "
> > >
> > >
> >
> >
> 
http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid

> >
> > > =76" as location attribute. After that response, the browser send a 
GET
> > > request to the URL from the location attribute.
> > >
> > > It seems that externalContext.getRequestParameterValuesMap() (that 
is
> > used
> > > in JsfUtils#addRequestParameters) contains both POST and GET
> parameters.
> > >
> > > Is there any way to disable the redirect for particular pages?
> > >
> > > Regards,
> > > Marco
> > >
> > >
> > >
> > > Von:
> > > Thomas Andraschko <andraschko.thomas@gmail.com>
> > > An:
> > > users@deltaspike.apache.org,
> > > Datum:
> > > 23.04.2015 09:59
> > > Betreff:
> > > Re: POST parameter will be added to URL in some cases
> > >
> > >
> > >
> > > Hi,
> > >
> > > thats actually how the LAZY mode works. The feature is called 
"initial
> > > redirect".
> > > We need to add all get params here because if you open e.g.
> > > /index.xhtml?userId=1, we do a redirect to the same url with a new
> > dswid.
> > > If we would not collect all get params, the userId will be lost.
> > >
> > > Don't know what JAAS exactly does. Can you give me some input? I 
don't
> > > think that we currently skip the initial redirect on a post. I'm 
also
> > not
> > > sure if it's good in all cases to skip it on a post.
> > >
> > > Regards,
> > > Thomas
> > >
> > > 2015-04-23 8:04 GMT+02:00 <bulau@dakosy.de>:
> > >
> > > > Hi Thomas,
> > > >
> > > > I've checked and found out that the parameters will be added in
> > > > "JsfUtils.addRequestParameters(externalContext, url, true);" 
within
> > the
> > > > method ClientWindowHelper#handleInitialRedirect.
> > > >
> > > > Regards
> > > > Marco
> > > >
> > > >
> > > >
> > > > An:
> > > > users@deltaspike.apache.org
> > > > Betreff:
> > > > Re: POST parameter will be added to URL in some cases
> > > > Hi,
> > > >
> > > > please debug ClientWindowHelper#handleInitialRedirect and check if
> the
> > > > j_password/j_username will be appended there and come back.
> > > >
> > > > Regards,
> > > > Thomas
> > > >
> > > > 2015-04-22 15:44 GMT+02:00 <bulau@dakosy.de>:
> > > >
> > > > > Hello,
> > > > > we are using DeltaSpike in a web application, that is secured by
> > JAAS,
> > > > > running on EAP 6.x. The login form sends a POST request to
> > > > > "j_security_check". If the login fails due to wrong
> > username/password,
> > > > the
> > > > > user will be redirect to a login error page configured as "
> > > > > form-error-page" in web.xml. In this case, the URL looks like
> > > > > "
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> 
example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159
> > > > > ".
> > > > > The parameters j_username and j_password are added as GET
> parameters
> > > to
> > > > > URL containing the values in plaintext.
> > > > > If I remove DeltaSpike from the project, the URL looks like
> > > > > "example.com/webapp/userLoginError.xhtml" without the parameters
> > > > > j_username and j_password .
> > > > > After login successfully, this problem doesn't occurs again if a
> > POST
> > > > > request was made on a secured page.
> > > > > From my point of view it looks like a bug in DeltaSpike, because
> > > > > DeltaSpike should only handle the parameter dswid and no other
> > > GET/POST
> > > > > parameters.
> > > > > Can you confirm or do you have any advice how can I prevent it?
> > > > > Thank you very much in advance.
> > > > > Best regards
> > > > > Marco
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message