Uploaded image for project: 'DeltaSpike'
  1. DeltaSpike
  2. DELTASPIKE-880

Restrict initial redirect to GET requests

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.0.2, 1.3.0
    • 1.4.0
    • JSF-Module
    • None
    • JBoss EAP 6.x, JSF 2.1, JAAS

    Description

      We are using DeltaSpike in a web application that is secured by JAAS.

      If a user tries to login with wrong username or password, the user will be forwarded to a login error page configured in web.xml (form-error-page). The URL of the error page contains the POST parameters from login form (j_username and j_password) in plain text:

      http://example.com/webapp/userLoginError.xhtml?j_password=mypassword&j_username=myusername&dswid=8159

      so the POST parameters are applied to the redirect by DeltaSpike.

      Restrict the initial redirect to GET requests could be a solution for it, discussed on user mailing list.

      Attachments

        Issue Links

          is related to

          Task - A task that needs to be done. DELTASPIKE-1393 POST request from a non-JSF to a JSF page fails with when ds:windowId is used

          • Major - Major loss of function.
          • Open

          Activity

            People

              tandraschko Thomas Andraschko
              marco-dak Marco Bulau
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: