deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bu...@dakosy.de
Subject Antwort: Re: Re: Re: Re: POST parameter will be added to URL in some cases
Date Thu, 30 Apr 2015 07:19:08 GMT
Hi,

I just tired it with version 1.3.1-SNAPSHOT from GIT repository. I'm using 
"deltaspike-jsf-module-impl-ee6" because the application is running on 
JBoss EAP 6.3.

For the first test it looks like that the problem is still present but I 
will investigate it in detail next week.

Regards,
Marco



Von:
Thomas Andraschko <andraschko.thomas@gmail.com>
An:
users@deltaspike.apache.org, 
Datum:
28.04.2015 21:16
Betreff:
Re: Re: Re: Re: POST parameter will be added to URL in some cases



Hi,

i commited a solution.
Please give it a try.

Regards,
THomas

2015-04-23 13:33 GMT+02:00 Thomas Andraschko 
<andraschko.thomas@gmail.com>:

> ahhh, yes. sorry.
>
>
> 2015-04-23 13:29 GMT+02:00 <bulau@dakosy.de>:
>
>> Yes, I will crate an issue. I think you mean that the initial redirect
>> will be restricted to GET requests, or not?
>>
>> Regards,
>> Marco
>>
>>
>>
>>
>> Von:
>> Thomas Andraschko <andraschko.thomas@gmail.com>
>> An:
>> users@deltaspike.apache.org,
>> Datum:
>> 23.04.2015 13:11
>> Betreff:
>> Re: Re: Re: POST parameter will be added to URL in some cases
>>
>>
>>
>> Restrict to GET params sounds good.
>> Could you please create a issue Marco?
>>
>> 2015-04-23 12:25 GMT+02:00 Gerhard Petracek 
<gerhard.petracek@gmail.com>:
>>
>> > @thomas:
>> > we could introduce a parameter-filter and provide a (deactivatable)
>> > implementation which is aware of jaas
>> > or we just restrict the initial redirect to get-requests as we did it 
in
>> > codi.
>> >
>> > regards,
>> > gerhard
>> >
>> >
>> >
>> > 2015-04-23 11:43 GMT+02:00 <bulau@dakosy.de>:
>> >
>> > > Hi,
>> > >
>> > > probably the logic from DeltaSpike is ok, but is there no way to
>> differ
>> > > POST and GET parameters in JsfUtils#addRequestParameters.
>> > >
>> > > If I don't use DeltaSpike, the response of the POST request to
>> > > "j_security_check" is the content of "userLoginError.xhtml". If I 
use
>> > > DeltaSpike, the response of the POST request is the URL to
>> > > "userLoginError.xhtml" already containing the POST parameters, the 
GET
>> > > request after it is correct, of course.
>> > >
>> > > Regards,
>> > > Marco
>> > >
>> > >
>> > >
>> > >
>> > > Von:
>> > > Thomas Andraschko <andraschko.thomas@gmail.com>
>> > > An:
>> > > users@deltaspike.apache.org,
>> > > Datum:
>> > > 23.04.2015 11:30
>> > > Betreff:
>> > > Re: Re: POST parameter will be added to URL in some cases
>> > >
>> > >
>> > >
>> > > Hi,
>> > >
>> > > ok, i see.
>> > > So the request is also an GET request and logic from DS is actually
>> ok.
>> > >
>> > > @Gerhard
>> > > Any idea how we could implement such an exclude feature?
>> > >
>> > > Regards,
>> > > Thomas
>> > >
>> > > 2015-04-23 11:09 GMT+02:00 <bulau@dakosy.de>:
>> > >
>> > > > Hi,
>> > > >
>> > > > I unterstand the reason why you need to keep the get parameters
>> during
>> > > the
>> > > > redirect, but why the post parameter will be handled in the same
>> way?
>> > > >
>> > > > If I send the login form, a POST request will be send to
>> > > > "j_security_check". The HTTP response is a 302 (Moved 
Temporarily)
>> > > > containing the URL "
>> > > >
>> > > >
>> > >
>> > >
>> >
>>
>> 
http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid

>>
>> > >
>> > > > =76" as location attribute. After that response, the browser send

a
>> GET
>> > > > request to the URL from the location attribute.
>> > > >
>> > > > It seems that externalContext.getRequestParameterValuesMap() 
(that
>> is
>> > > used
>> > > > in JsfUtils#addRequestParameters) contains both POST and GET
>> > parameters.
>> > > >
>> > > > Is there any way to disable the redirect for particular pages?
>> > > >
>> > > > Regards,
>> > > > Marco
>> > > >
>> > > >
>> > > >
>> > > > Von:
>> > > > Thomas Andraschko <andraschko.thomas@gmail.com>
>> > > > An:
>> > > > users@deltaspike.apache.org,
>> > > > Datum:
>> > > > 23.04.2015 09:59
>> > > > Betreff:
>> > > > Re: POST parameter will be added to URL in some cases
>> > > >
>> > > >
>> > > >
>> > > > Hi,
>> > > >
>> > > > thats actually how the LAZY mode works. The feature is called
>> "initial
>> > > > redirect".
>> > > > We need to add all get params here because if you open e.g.
>> > > > /index.xhtml?userId=1, we do a redirect to the same url with a 
new
>> > > dswid.
>> > > > If we would not collect all get params, the userId will be lost.
>> > > >
>> > > > Don't know what JAAS exactly does. Can you give me some input? I
>> don't
>> > > > think that we currently skip the initial redirect on a post. I'm
>> also
>> > > not
>> > > > sure if it's good in all cases to skip it on a post.
>> > > >
>> > > > Regards,
>> > > > Thomas
>> > > >
>> > > > 2015-04-23 8:04 GMT+02:00 <bulau@dakosy.de>:
>> > > >
>> > > > > Hi Thomas,
>> > > > >
>> > > > > I've checked and found out that the parameters will be added
in
>> > > > > "JsfUtils.addRequestParameters(externalContext, url, true);"
>> within
>> > > the
>> > > > > method ClientWindowHelper#handleInitialRedirect.
>> > > > >
>> > > > > Regards
>> > > > > Marco
>> > > > >
>> > > > >
>> > > > >
>> > > > > An:
>> > > > > users@deltaspike.apache.org
>> > > > > Betreff:
>> > > > > Re: POST parameter will be added to URL in some cases
>> > > > > Hi,
>> > > > >
>> > > > > please debug ClientWindowHelper#handleInitialRedirect and check

if
>> > the
>> > > > > j_password/j_username will be appended there and come back.
>> > > > >
>> > > > > Regards,
>> > > > > Thomas
>> > > > >
>> > > > > 2015-04-22 15:44 GMT+02:00 <bulau@dakosy.de>:
>> > > > >
>> > > > > > Hello,
>> > > > > > we are using DeltaSpike in a web application, that is secured

by
>> > > JAAS,
>> > > > > > running on EAP 6.x. The login form sends a POST request
to
>> > > > > > "j_security_check". If the login fails due to wrong
>> > > username/password,
>> > > > > the
>> > > > > > user will be redirect to a login error page configured as
"
>> > > > > > form-error-page" in web.xml. In this case, the URL looks
like
>> > > > > > "
>> > > > > >
>> > > > >
>> > > > >
>> > > >
>> > > >
>> > >
>> > >
>> >
>>
>> 
example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159
>> > > > > > ".
>> > > > > > The parameters j_username and j_password are added as GET
>> > parameters
>> > > > to
>> > > > > > URL containing the values in plaintext.
>> > > > > > If I remove DeltaSpike from the project, the URL looks like
>> > > > > > "example.com/webapp/userLoginError.xhtml" without the
>> parameters
>> > > > > > j_username and j_password .
>> > > > > > After login successfully, this problem doesn't occurs again

if a
>> > > POST
>> > > > > > request was made on a secured page.
>> > > > > > From my point of view it looks like a bug in DeltaSpike,

because
>> > > > > > DeltaSpike should only handle the parameter dswid and no

other
>> > > > GET/POST
>> > > > > > parameters.
>> > > > > > Can you confirm or do you have any advice how can I prevent

it?
>> > > > > > Thank you very much in advance.
>> > > > > > Best regards
>> > > > > > Marco
>> > > > >
>> > > > >
>> > > >
>> > > >
>> > > >
>> > >
>> > >
>> > >
>> >
>>
>>
>>
>



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message