deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Andraschko <andraschko.tho...@gmail.com>
Subject Re: Re: Re: Re: Re: Re: POST parameter will be added to URL in some cases
Date Wed, 06 May 2015 18:16:02 GMT
Hi,

I added a better check. Please give it a try again.

2015-05-06 7:53 GMT+02:00 <bulau@dakosy.de>:

> Hi,
>
> it seems that this is a post request. The login form is defined as
>
> "<form action="j_security_check" id="loginForm" method="post">..."
>
> and if I try to login with incorrect data, in Firebug (tab network) I can
> see a "POST http://localhost:8080/myapp/j_security_check" with a state
> "302 Moved Temporarily" containing the location "
>
> http://localhost:8080/myapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=3161
> ".
>
> If I debug the method ClientWindowHelper#handleInitialRedirect the value
> of request.getMethod() is POST when
> ClientWindowHelper#handleInitialRedirect is called.
>
>
>
> Von:
> Thomas Andraschko <andraschko.thomas@gmail.com>
> An:
> users@deltaspike.apache.org,
> Datum:
> 05.05.2015 21:16
> Betreff:
> Re: Re: Re: Re: Re: POST parameter will be added to URL in some cases
>
>
>
> Hi,
>
> i see. Are you sure this is a post?
> I think we could also check "POST".equals(request.getMethod());.
>
> 2015-05-05 17:45 GMT+02:00 <bulau@dakosy.de>:
>
> > Hi,
> >
> > I just debugged the method DefaultClientWindow#getOrCreateWindowId. If I
> > start my application and try to login with incorrect data, the if
> > statement "if (this.jsfModuleConfig.isInitialRedirectEnabled() && !
> > facesContext.isPostback())" is true and
> > ClientWindowHelper#handleInitialRedirect will be called. Within this
> > method, the line JsfUtils#addRequestParameters still adds the
> "j_username"
> > and "j_password" parameters to URL.
> >
> > If there is anything else I can try or verify, please let me know.
> >
> > Thank you very much.
> >
> > Regards,
> > Marco
> >
> >
> >
> >
> > Von:
> > Thomas Andraschko <andraschko.thomas@gmail.com>
> > An:
> > users@deltaspike.apache.org,
> > Datum:
> > 28.04.2015 21:16
> > Betreff:
> > Re: Re: Re: Re: POST parameter will be added to URL in some cases
> >
> >
> >
> > Hi,
> >
> > i commited a solution.
> > Please give it a try.
> >
> > Regards,
> > THomas
> >
> > 2015-04-23 13:33 GMT+02:00 Thomas Andraschko
> > <andraschko.thomas@gmail.com>:
> >
> > > ahhh, yes. sorry.
> > >
> > >
> > > 2015-04-23 13:29 GMT+02:00 <bulau@dakosy.de>:
> > >
> > >> Yes, I will crate an issue. I think you mean that the initial
> redirect
> > >> will be restricted to GET requests, or not?
> > >>
> > >> Regards,
> > >> Marco
> > >>
> > >>
> > >>
> > >>
> > >> Von:
> > >> Thomas Andraschko <andraschko.thomas@gmail.com>
> > >> An:
> > >> users@deltaspike.apache.org,
> > >> Datum:
> > >> 23.04.2015 13:11
> > >> Betreff:
> > >> Re: Re: Re: POST parameter will be added to URL in some cases
> > >>
> > >>
> > >>
> > >> Restrict to GET params sounds good.
> > >> Could you please create a issue Marco?
> > >>
> > >> 2015-04-23 12:25 GMT+02:00 Gerhard Petracek
> > <gerhard.petracek@gmail.com>:
> > >>
> > >> > @thomas:
> > >> > we could introduce a parameter-filter and provide a (deactivatable)
> > >> > implementation which is aware of jaas
> > >> > or we just restrict the initial redirect to get-requests as we did
> it
> > in
> > >> > codi.
> > >> >
> > >> > regards,
> > >> > gerhard
> > >> >
> > >> >
> > >> >
> > >> > 2015-04-23 11:43 GMT+02:00 <bulau@dakosy.de>:
> > >> >
> > >> > > Hi,
> > >> > >
> > >> > > probably the logic from DeltaSpike is ok, but is there no way
to
> > >> differ
> > >> > > POST and GET parameters in JsfUtils#addRequestParameters.
> > >> > >
> > >> > > If I don't use DeltaSpike, the response of the POST request to
> > >> > > "j_security_check" is the content of "userLoginError.xhtml".
If I
> > use
> > >> > > DeltaSpike, the response of the POST request is the URL to
> > >> > > "userLoginError.xhtml" already containing the POST parameters,
> the
> > GET
> > >> > > request after it is correct, of course.
> > >> > >
> > >> > > Regards,
> > >> > > Marco
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > > Von:
> > >> > > Thomas Andraschko <andraschko.thomas@gmail.com>
> > >> > > An:
> > >> > > users@deltaspike.apache.org,
> > >> > > Datum:
> > >> > > 23.04.2015 11:30
> > >> > > Betreff:
> > >> > > Re: Re: POST parameter will be added to URL in some cases
> > >> > >
> > >> > >
> > >> > >
> > >> > > Hi,
> > >> > >
> > >> > > ok, i see.
> > >> > > So the request is also an GET request and logic from DS is
> actually
> > >> ok.
> > >> > >
> > >> > > @Gerhard
> > >> > > Any idea how we could implement such an exclude feature?
> > >> > >
> > >> > > Regards,
> > >> > > Thomas
> > >> > >
> > >> > > 2015-04-23 11:09 GMT+02:00 <bulau@dakosy.de>:
> > >> > >
> > >> > > > Hi,
> > >> > > >
> > >> > > > I unterstand the reason why you need to keep the get parameters
> > >> during
> > >> > > the
> > >> > > > redirect, but why the post parameter will be handled in
the
> same
> > >> way?
> > >> > > >
> > >> > > > If I send the login form, a POST request will be send to
> > >> > > > "j_security_check". The HTTP response is a 302 (Moved
> > Temporarily)
> > >> > > > containing the URL "
> > >> > > >
> > >> > > >
> > >> > >
> > >> > >
> > >> >
> > >>
> > >>
> >
> >
>
> http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid
>
> >
> > >>
> > >> > >
> > >> > > > =76" as location attribute. After that response, the browser
> send
> > a
> > >> GET
> > >> > > > request to the URL from the location attribute.
> > >> > > >
> > >> > > > It seems that externalContext.getRequestParameterValuesMap()
> > (that
> > >> is
> > >> > > used
> > >> > > > in JsfUtils#addRequestParameters) contains both POST and
GET
> > >> > parameters.
> > >> > > >
> > >> > > > Is there any way to disable the redirect for particular
pages?
> > >> > > >
> > >> > > > Regards,
> > >> > > > Marco
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > Von:
> > >> > > > Thomas Andraschko <andraschko.thomas@gmail.com>
> > >> > > > An:
> > >> > > > users@deltaspike.apache.org,
> > >> > > > Datum:
> > >> > > > 23.04.2015 09:59
> > >> > > > Betreff:
> > >> > > > Re: POST parameter will be added to URL in some cases
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > Hi,
> > >> > > >
> > >> > > > thats actually how the LAZY mode works. The feature is called
> > >> "initial
> > >> > > > redirect".
> > >> > > > We need to add all get params here because if you open e.g.
> > >> > > > /index.xhtml?userId=1, we do a redirect to the same url
with a
> > new
> > >> > > dswid.
> > >> > > > If we would not collect all get params, the userId will
be
> lost.
> > >> > > >
> > >> > > > Don't know what JAAS exactly does. Can you give me some
input?
> I
> > >> don't
> > >> > > > think that we currently skip the initial redirect on a post.
> I'm
> > >> also
> > >> > > not
> > >> > > > sure if it's good in all cases to skip it on a post.
> > >> > > >
> > >> > > > Regards,
> > >> > > > Thomas
> > >> > > >
> > >> > > > 2015-04-23 8:04 GMT+02:00 <bulau@dakosy.de>:
> > >> > > >
> > >> > > > > Hi Thomas,
> > >> > > > >
> > >> > > > > I've checked and found out that the parameters will
be added
> in
> > >> > > > > "JsfUtils.addRequestParameters(externalContext, url,
true);"
> > >> within
> > >> > > the
> > >> > > > > method ClientWindowHelper#handleInitialRedirect.
> > >> > > > >
> > >> > > > > Regards
> > >> > > > > Marco
> > >> > > > >
> > >> > > > >
> > >> > > > >
> > >> > > > > An:
> > >> > > > > users@deltaspike.apache.org
> > >> > > > > Betreff:
> > >> > > > > Re: POST parameter will be added to URL in some cases
> > >> > > > > Hi,
> > >> > > > >
> > >> > > > > please debug ClientWindowHelper#handleInitialRedirect
and
> check
> > if
> > >> > the
> > >> > > > > j_password/j_username will be appended there and come
back.
> > >> > > > >
> > >> > > > > Regards,
> > >> > > > > Thomas
> > >> > > > >
> > >> > > > > 2015-04-22 15:44 GMT+02:00 <bulau@dakosy.de>:
> > >> > > > >
> > >> > > > > > Hello,
> > >> > > > > > we are using DeltaSpike in a web application,
that is
> secured
> > by
> > >> > > JAAS,
> > >> > > > > > running on EAP 6.x. The login form sends a POST
request to
> > >> > > > > > "j_security_check". If the login fails due to
wrong
> > >> > > username/password,
> > >> > > > > the
> > >> > > > > > user will be redirect to a login error page configured
as "
> > >> > > > > > form-error-page" in web.xml. In this case, the
URL looks
> like
> > >> > > > > > "
> > >> > > > > >
> > >> > > > >
> > >> > > > >
> > >> > > >
> > >> > > >
> > >> > >
> > >> > >
> > >> >
> > >>
> > >>
> >
> >
>
> example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159
> > >> > > > > > ".
> > >> > > > > > The parameters j_username and j_password are added
as GET
> > >> > parameters
> > >> > > > to
> > >> > > > > > URL containing the values in plaintext.
> > >> > > > > > If I remove DeltaSpike from the project, the URL
looks like
> > >> > > > > > "example.com/webapp/userLoginError.xhtml" without
the
> > >> parameters
> > >> > > > > > j_username and j_password .
> > >> > > > > > After login successfully, this problem doesn't
occurs again
> > if a
> > >> > > POST
> > >> > > > > > request was made on a secured page.
> > >> > > > > > From my point of view it looks like a bug in DeltaSpike,
> > because
> > >> > > > > > DeltaSpike should only handle the parameter dswid
and no
> > other
> > >> > > > GET/POST
> > >> > > > > > parameters.
> > >> > > > > > Can you confirm or do you have any advice how
can I prevent
> > it?
> > >> > > > > > Thank you very much in advance.
> > >> > > > > > Best regards
> > >> > > > > > Marco
> > >> > > > >
> > >> > > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > >
> > >> > >
> > >> > >
> > >> >
> > >>
> > >>
> > >>
> > >
> >
> >
> >
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message