> Why doesn't check GET request? It's probably more of an optimization than anything else.
> Its allows force brute attacks using URLs > like this: > > http://www.casserver.com/cas/login?username=MYUSER&password=MYPASSWORD<=LT-8-ccvtXiggP3G3NifIJcZDaXec2kNCQq&execution=e3s1&_eventId=submit&submit=Entrar Interesting. Thanks for pointing this out. > Solutions? Change preHandle method? Change something for only allow POST > request to CAS? How? I would lean toward restricting the /login URI to accept POST exclusively. I believe the reason both are allowed at present is because there are use cases for relaying credentials to the CAS login form via GET to support alternate user interfaces. I personally think that use case is poorly conceived, but it comes up fairly often. If you don't need GET, then restricting POST is the way to go. We might consider making that configuration the default, with the option to relax the restriction for folks that need GET support. I would imagine the overwhelming majority do not. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
