deltaspike-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Andraschko <andraschko.tho...@gmail.com>
Subject Re: Re: Re: Re: Re: POST parameter will be added to URL in some cases
Date Tue, 05 May 2015 19:14:03 GMT
Hi,

i see. Are you sure this is a post?
I think we could also check "POST".equals(request.getMethod());.

2015-05-05 17:45 GMT+02:00 <bulau@dakosy.de>:

> Hi,
>
> I just debugged the method DefaultClientWindow#getOrCreateWindowId. If I
> start my application and try to login with incorrect data, the if
> statement "if (this.jsfModuleConfig.isInitialRedirectEnabled() && !
> facesContext.isPostback())" is true and
> ClientWindowHelper#handleInitialRedirect will be called. Within this
> method, the line JsfUtils#addRequestParameters still adds the "j_username"
> and "j_password" parameters to URL.
>
> If there is anything else I can try or verify, please let me know.
>
> Thank you very much.
>
> Regards,
> Marco
>
>
>
>
> Von:
> Thomas Andraschko <andraschko.thomas@gmail.com>
> An:
> users@deltaspike.apache.org,
> Datum:
> 28.04.2015 21:16
> Betreff:
> Re: Re: Re: Re: POST parameter will be added to URL in some cases
>
>
>
> Hi,
>
> i commited a solution.
> Please give it a try.
>
> Regards,
> THomas
>
> 2015-04-23 13:33 GMT+02:00 Thomas Andraschko
> <andraschko.thomas@gmail.com>:
>
> > ahhh, yes. sorry.
> >
> >
> > 2015-04-23 13:29 GMT+02:00 <bulau@dakosy.de>:
> >
> >> Yes, I will crate an issue. I think you mean that the initial redirect
> >> will be restricted to GET requests, or not?
> >>
> >> Regards,
> >> Marco
> >>
> >>
> >>
> >>
> >> Von:
> >> Thomas Andraschko <andraschko.thomas@gmail.com>
> >> An:
> >> users@deltaspike.apache.org,
> >> Datum:
> >> 23.04.2015 13:11
> >> Betreff:
> >> Re: Re: Re: POST parameter will be added to URL in some cases
> >>
> >>
> >>
> >> Restrict to GET params sounds good.
> >> Could you please create a issue Marco?
> >>
> >> 2015-04-23 12:25 GMT+02:00 Gerhard Petracek
> <gerhard.petracek@gmail.com>:
> >>
> >> > @thomas:
> >> > we could introduce a parameter-filter and provide a (deactivatable)
> >> > implementation which is aware of jaas
> >> > or we just restrict the initial redirect to get-requests as we did it
> in
> >> > codi.
> >> >
> >> > regards,
> >> > gerhard
> >> >
> >> >
> >> >
> >> > 2015-04-23 11:43 GMT+02:00 <bulau@dakosy.de>:
> >> >
> >> > > Hi,
> >> > >
> >> > > probably the logic from DeltaSpike is ok, but is there no way to
> >> differ
> >> > > POST and GET parameters in JsfUtils#addRequestParameters.
> >> > >
> >> > > If I don't use DeltaSpike, the response of the POST request to
> >> > > "j_security_check" is the content of "userLoginError.xhtml". If I
> use
> >> > > DeltaSpike, the response of the POST request is the URL to
> >> > > "userLoginError.xhtml" already containing the POST parameters, the
> GET
> >> > > request after it is correct, of course.
> >> > >
> >> > > Regards,
> >> > > Marco
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > Von:
> >> > > Thomas Andraschko <andraschko.thomas@gmail.com>
> >> > > An:
> >> > > users@deltaspike.apache.org,
> >> > > Datum:
> >> > > 23.04.2015 11:30
> >> > > Betreff:
> >> > > Re: Re: POST parameter will be added to URL in some cases
> >> > >
> >> > >
> >> > >
> >> > > Hi,
> >> > >
> >> > > ok, i see.
> >> > > So the request is also an GET request and logic from DS is actually
> >> ok.
> >> > >
> >> > > @Gerhard
> >> > > Any idea how we could implement such an exclude feature?
> >> > >
> >> > > Regards,
> >> > > Thomas
> >> > >
> >> > > 2015-04-23 11:09 GMT+02:00 <bulau@dakosy.de>:
> >> > >
> >> > > > Hi,
> >> > > >
> >> > > > I unterstand the reason why you need to keep the get parameters
> >> during
> >> > > the
> >> > > > redirect, but why the post parameter will be handled in the same
> >> way?
> >> > > >
> >> > > > If I send the login form, a POST request will be send to
> >> > > > "j_security_check". The HTTP response is a 302 (Moved
> Temporarily)
> >> > > > containing the URL "
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> >
> >>
> >>
>
> http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid
>
> >>
> >> > >
> >> > > > =76" as location attribute. After that response, the browser
send
> a
> >> GET
> >> > > > request to the URL from the location attribute.
> >> > > >
> >> > > > It seems that externalContext.getRequestParameterValuesMap()
> (that
> >> is
> >> > > used
> >> > > > in JsfUtils#addRequestParameters) contains both POST and GET
> >> > parameters.
> >> > > >
> >> > > > Is there any way to disable the redirect for particular pages?
> >> > > >
> >> > > > Regards,
> >> > > > Marco
> >> > > >
> >> > > >
> >> > > >
> >> > > > Von:
> >> > > > Thomas Andraschko <andraschko.thomas@gmail.com>
> >> > > > An:
> >> > > > users@deltaspike.apache.org,
> >> > > > Datum:
> >> > > > 23.04.2015 09:59
> >> > > > Betreff:
> >> > > > Re: POST parameter will be added to URL in some cases
> >> > > >
> >> > > >
> >> > > >
> >> > > > Hi,
> >> > > >
> >> > > > thats actually how the LAZY mode works. The feature is called
> >> "initial
> >> > > > redirect".
> >> > > > We need to add all get params here because if you open e.g.
> >> > > > /index.xhtml?userId=1, we do a redirect to the same url with
a
> new
> >> > > dswid.
> >> > > > If we would not collect all get params, the userId will be lost.
> >> > > >
> >> > > > Don't know what JAAS exactly does. Can you give me some input?
I
> >> don't
> >> > > > think that we currently skip the initial redirect on a post.
I'm
> >> also
> >> > > not
> >> > > > sure if it's good in all cases to skip it on a post.
> >> > > >
> >> > > > Regards,
> >> > > > Thomas
> >> > > >
> >> > > > 2015-04-23 8:04 GMT+02:00 <bulau@dakosy.de>:
> >> > > >
> >> > > > > Hi Thomas,
> >> > > > >
> >> > > > > I've checked and found out that the parameters will be added
in
> >> > > > > "JsfUtils.addRequestParameters(externalContext, url, true);"
> >> within
> >> > > the
> >> > > > > method ClientWindowHelper#handleInitialRedirect.
> >> > > > >
> >> > > > > Regards
> >> > > > > Marco
> >> > > > >
> >> > > > >
> >> > > > >
> >> > > > > An:
> >> > > > > users@deltaspike.apache.org
> >> > > > > Betreff:
> >> > > > > Re: POST parameter will be added to URL in some cases
> >> > > > > Hi,
> >> > > > >
> >> > > > > please debug ClientWindowHelper#handleInitialRedirect and
check
> if
> >> > the
> >> > > > > j_password/j_username will be appended there and come back.
> >> > > > >
> >> > > > > Regards,
> >> > > > > Thomas
> >> > > > >
> >> > > > > 2015-04-22 15:44 GMT+02:00 <bulau@dakosy.de>:
> >> > > > >
> >> > > > > > Hello,
> >> > > > > > we are using DeltaSpike in a web application, that
is secured
> by
> >> > > JAAS,
> >> > > > > > running on EAP 6.x. The login form sends a POST request
to
> >> > > > > > "j_security_check". If the login fails due to wrong
> >> > > username/password,
> >> > > > > the
> >> > > > > > user will be redirect to a login error page configured
as "
> >> > > > > > form-error-page" in web.xml. In this case, the URL
looks like
> >> > > > > > "
> >> > > > > >
> >> > > > >
> >> > > > >
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> >
> >>
> >>
>
> example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159
> >> > > > > > ".
> >> > > > > > The parameters j_username and j_password are added
as GET
> >> > parameters
> >> > > > to
> >> > > > > > URL containing the values in plaintext.
> >> > > > > > If I remove DeltaSpike from the project, the URL looks
like
> >> > > > > > "example.com/webapp/userLoginError.xhtml" without the
> >> parameters
> >> > > > > > j_username and j_password .
> >> > > > > > After login successfully, this problem doesn't occurs
again
> if a
> >> > > POST
> >> > > > > > request was made on a secured page.
> >> > > > > > From my point of view it looks like a bug in DeltaSpike,
> because
> >> > > > > > DeltaSpike should only handle the parameter dswid and
no
> other
> >> > > > GET/POST
> >> > > > > > parameters.
> >> > > > > > Can you confirm or do you have any advice how can I
prevent
> it?
> >> > > > > > Thank you very much in advance.
> >> > > > > > Best regards
> >> > > > > > Marco
> >> > > > >
> >> > > > >
> >> > > >
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> > >
> >> >
> >>
> >>
> >>
> >
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message