deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bu...@dakosy.de
Subject Antwort: Re: Re: POST parameter will be added to URL in some cases
Date Thu, 23 Apr 2015 09:43:48 GMT
Hi,

probably the logic from DeltaSpike is ok, but is there no way to differ 
POST and GET parameters in JsfUtils#addRequestParameters.

If I don't use DeltaSpike, the response of the POST request to 
"j_security_check" is the content of "userLoginError.xhtml". If I use 
DeltaSpike, the response of the POST request is the URL to 
"userLoginError.xhtml" already containing the POST parameters, the GET 
request after it is correct, of course.

Regards,
Marco




Von:
Thomas Andraschko <andraschko.thomas@gmail.com>
An:
users@deltaspike.apache.org, 
Datum:
23.04.2015 11:30
Betreff:
Re: Re: POST parameter will be added to URL in some cases



Hi,

ok, i see.
So the request is also an GET request and logic from DS is actually ok.

@Gerhard
Any idea how we could implement such an exclude feature?

Regards,
Thomas

2015-04-23 11:09 GMT+02:00 <bulau@dakosy.de>:

> Hi,
>
> I unterstand the reason why you need to keep the get parameters during 
the
> redirect, but why the post parameter will be handled in the same way?
>
> If I send the login form, a POST request will be send to
> "j_security_check". The HTTP response is a 302 (Moved Temporarily)
> containing the URL "
>
> 
http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid

> =76" as location attribute. After that response, the browser send a GET
> request to the URL from the location attribute.
>
> It seems that externalContext.getRequestParameterValuesMap() (that is 
used
> in JsfUtils#addRequestParameters) contains both POST and GET parameters.
>
> Is there any way to disable the redirect for particular pages?
>
> Regards,
> Marco
>
>
>
> Von:
> Thomas Andraschko <andraschko.thomas@gmail.com>
> An:
> users@deltaspike.apache.org,
> Datum:
> 23.04.2015 09:59
> Betreff:
> Re: POST parameter will be added to URL in some cases
>
>
>
> Hi,
>
> thats actually how the LAZY mode works. The feature is called "initial
> redirect".
> We need to add all get params here because if you open e.g.
> /index.xhtml?userId=1, we do a redirect to the same url with a new 
dswid.
> If we would not collect all get params, the userId will be lost.
>
> Don't know what JAAS exactly does. Can you give me some input? I don't
> think that we currently skip the initial redirect on a post. I'm also 
not
> sure if it's good in all cases to skip it on a post.
>
> Regards,
> Thomas
>
> 2015-04-23 8:04 GMT+02:00 <bulau@dakosy.de>:
>
> > Hi Thomas,
> >
> > I've checked and found out that the parameters will be added in
> > "JsfUtils.addRequestParameters(externalContext, url, true);" within 
the
> > method ClientWindowHelper#handleInitialRedirect.
> >
> > Regards
> > Marco
> >
> >
> >
> > An:
> > users@deltaspike.apache.org
> > Betreff:
> > Re: POST parameter will be added to URL in some cases
> > Hi,
> >
> > please debug ClientWindowHelper#handleInitialRedirect and check if the
> > j_password/j_username will be appended there and come back.
> >
> > Regards,
> > Thomas
> >
> > 2015-04-22 15:44 GMT+02:00 <bulau@dakosy.de>:
> >
> > > Hello,
> > > we are using DeltaSpike in a web application, that is secured by 
JAAS,
> > > running on EAP 6.x. The login form sends a POST request to
> > > "j_security_check". If the login fails due to wrong 
username/password,
> > the
> > > user will be redirect to a login error page configured as "
> > > form-error-page" in web.xml. In this case, the URL looks like
> > > "
> > >
> >
> >
>
> 
example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159
> > > ".
> > > The parameters j_username and j_password are added as GET parameters
> to
> > > URL containing the values in plaintext.
> > > If I remove DeltaSpike from the project, the URL looks like
> > > "example.com/webapp/userLoginError.xhtml" without the parameters
> > > j_username and j_password .
> > > After login successfully, this problem doesn't occurs again if a 
POST
> > > request was made on a secured page.
> > > From my point of view it looks like a bug in DeltaSpike, because
> > > DeltaSpike should only handle the parameter dswid and no other
> GET/POST
> > > parameters.
> > > Can you confirm or do you have any advice how can I prevent it?
> > > Thank you very much in advance.
> > > Best regards
> > > Marco
> >
> >
>
>
>



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message