Return-Path: X-Original-To: apmail-deltaspike-users-archive@www.apache.org Delivered-To: apmail-deltaspike-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2222818BC8 for ; Thu, 23 Apr 2015 11:30:27 +0000 (UTC) Received: (qmail 58818 invoked by uid 500); 23 Apr 2015 11:30:27 -0000 Delivered-To: apmail-deltaspike-users-archive@deltaspike.apache.org Received: (qmail 58780 invoked by uid 500); 23 Apr 2015 11:30:27 -0000 Mailing-List: contact users-help@deltaspike.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@deltaspike.apache.org Delivered-To: mailing list users@deltaspike.apache.org Received: (qmail 58769 invoked by uid 99); 23 Apr 2015 11:30:26 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Apr 2015 11:30:26 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: error (athena.apache.org: local policy) Received: from [54.164.171.186] (HELO mx1-us-east.apache.org) (54.164.171.186) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Apr 2015 11:30:21 +0000 Received: from ser-smtp-vm-1.dakosy.de (ser-smtp-vm-1.dakosy.de [195.244.0.87]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id E946243C96 for ; Thu, 23 Apr 2015 11:29:38 +0000 (UTC) Received: from [10.7.2.114] (helo=ser-smtpdak-vm-1.dakosy.de) by ser-smtp-vm-1.dakosy.de with esmtp (Exim 4.76) (envelope-from ) id 1YlFK5-0000gV-FF for users@deltaspike.apache.org; Thu, 23 Apr 2015 13:29:37 +0200 Received: from daktales1.dakosy.de ([10.7.2.20]) by ser-smtpdak-vm-1.dakosy.de with esmtp (Exim 4.82) (envelope-from ) id 1YlFK5-0007OA-2c for users@deltaspike.apache.org; Thu, 23 Apr 2015 13:29:37 +0200 In-Reply-To: References: To: users@deltaspike.apache.org MIME-Version: 1.0 Subject: Antwort: Re: Re: Re: POST parameter will be added to URL in some cases X-KeepSent: 40BF30AC:BC19FEF1-C1257E30:003E599A; type=4; name=$KeepSent X-Mailer: Lotus Notes Release 8.5.3FP5 August 01, 2013 Message-ID: From: bulau@dakosy.de Date: Thu, 23 Apr 2015 13:29:26 +0200 X-MIMETrack: Serialize by Router on DAKTALES1/DAKOSY/DE at 23.04.2015 13:29:26, Serialize complete at 23.04.2015 13:29:26 Content-Type: multipart/alternative; boundary="=_alternative 003F2312C1257E30_=" X-Virus-Checked: Checked by ClamAV on apache.org --=_alternative 003F2312C1257E30_= Content-Type: text/plain; charset="US-ASCII" Yes, I will crate an issue. I think you mean that the initial redirect will be restricted to GET requests, or not? Regards, Marco Von: Thomas Andraschko An: users@deltaspike.apache.org, Datum: 23.04.2015 13:11 Betreff: Re: Re: Re: POST parameter will be added to URL in some cases Restrict to GET params sounds good. Could you please create a issue Marco? 2015-04-23 12:25 GMT+02:00 Gerhard Petracek : > @thomas: > we could introduce a parameter-filter and provide a (deactivatable) > implementation which is aware of jaas > or we just restrict the initial redirect to get-requests as we did it in > codi. > > regards, > gerhard > > > > 2015-04-23 11:43 GMT+02:00 : > > > Hi, > > > > probably the logic from DeltaSpike is ok, but is there no way to differ > > POST and GET parameters in JsfUtils#addRequestParameters. > > > > If I don't use DeltaSpike, the response of the POST request to > > "j_security_check" is the content of "userLoginError.xhtml". If I use > > DeltaSpike, the response of the POST request is the URL to > > "userLoginError.xhtml" already containing the POST parameters, the GET > > request after it is correct, of course. > > > > Regards, > > Marco > > > > > > > > > > Von: > > Thomas Andraschko > > An: > > users@deltaspike.apache.org, > > Datum: > > 23.04.2015 11:30 > > Betreff: > > Re: Re: POST parameter will be added to URL in some cases > > > > > > > > Hi, > > > > ok, i see. > > So the request is also an GET request and logic from DS is actually ok. > > > > @Gerhard > > Any idea how we could implement such an exclude feature? > > > > Regards, > > Thomas > > > > 2015-04-23 11:09 GMT+02:00 : > > > > > Hi, > > > > > > I unterstand the reason why you need to keep the get parameters during > > the > > > redirect, but why the post parameter will be handled in the same way? > > > > > > If I send the login form, a POST request will be send to > > > "j_security_check". The HTTP response is a 302 (Moved Temporarily) > > > containing the URL " > > > > > > > > > > > http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid > > > > > =76" as location attribute. After that response, the browser send a GET > > > request to the URL from the location attribute. > > > > > > It seems that externalContext.getRequestParameterValuesMap() (that is > > used > > > in JsfUtils#addRequestParameters) contains both POST and GET > parameters. > > > > > > Is there any way to disable the redirect for particular pages? > > > > > > Regards, > > > Marco > > > > > > > > > > > > Von: > > > Thomas Andraschko > > > An: > > > users@deltaspike.apache.org, > > > Datum: > > > 23.04.2015 09:59 > > > Betreff: > > > Re: POST parameter will be added to URL in some cases > > > > > > > > > > > > Hi, > > > > > > thats actually how the LAZY mode works. The feature is called "initial > > > redirect". > > > We need to add all get params here because if you open e.g. > > > /index.xhtml?userId=1, we do a redirect to the same url with a new > > dswid. > > > If we would not collect all get params, the userId will be lost. > > > > > > Don't know what JAAS exactly does. Can you give me some input? I don't > > > think that we currently skip the initial redirect on a post. I'm also > > not > > > sure if it's good in all cases to skip it on a post. > > > > > > Regards, > > > Thomas > > > > > > 2015-04-23 8:04 GMT+02:00 : > > > > > > > Hi Thomas, > > > > > > > > I've checked and found out that the parameters will be added in > > > > "JsfUtils.addRequestParameters(externalContext, url, true);" within > > the > > > > method ClientWindowHelper#handleInitialRedirect. > > > > > > > > Regards > > > > Marco > > > > > > > > > > > > > > > > An: > > > > users@deltaspike.apache.org > > > > Betreff: > > > > Re: POST parameter will be added to URL in some cases > > > > Hi, > > > > > > > > please debug ClientWindowHelper#handleInitialRedirect and check if > the > > > > j_password/j_username will be appended there and come back. > > > > > > > > Regards, > > > > Thomas > > > > > > > > 2015-04-22 15:44 GMT+02:00 : > > > > > > > > > Hello, > > > > > we are using DeltaSpike in a web application, that is secured by > > JAAS, > > > > > running on EAP 6.x. The login form sends a POST request to > > > > > "j_security_check". If the login fails due to wrong > > username/password, > > > > the > > > > > user will be redirect to a login error page configured as " > > > > > form-error-page" in web.xml. In this case, the URL looks like > > > > > " > > > > > > > > > > > > > > > > > > > > > > > > example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159 > > > > > ". > > > > > The parameters j_username and j_password are added as GET > parameters > > > to > > > > > URL containing the values in plaintext. > > > > > If I remove DeltaSpike from the project, the URL looks like > > > > > "example.com/webapp/userLoginError.xhtml" without the parameters > > > > > j_username and j_password . > > > > > After login successfully, this problem doesn't occurs again if a > > POST > > > > > request was made on a secured page. > > > > > From my point of view it looks like a bug in DeltaSpike, because > > > > > DeltaSpike should only handle the parameter dswid and no other > > > GET/POST > > > > > parameters. > > > > > Can you confirm or do you have any advice how can I prevent it? > > > > > Thank you very much in advance. > > > > > Best regards > > > > > Marco > > > > > > > > > > > > > > > > > > > > > > > > --=_alternative 003F2312C1257E30_=--