Marco Bulau created DELTASPIKE-880:
--------------------------------------
Summary: Restrict initial redirect to GET requests
Key: DELTASPIKE-880
URL: https://issues.apache.org/jira/browse/DELTASPIKE-880
Project: DeltaSpike
Issue Type: Improvement
Components: JSF-Module
Affects Versions: 1.3.0, 1.0.2
Environment: JBoss EAP 6.x, JSF 2.1, JAAS
Reporter: Marco Bulau
We are using DeltaSpike in a web application that is secured by JAAS.
If a user tries to login with wrong username or password, the user will be
forwarded to a login error page configured in web.xml (form-error-page). The
URL of the error page contains the POST parameters from login form (j_username
and j_password) in plain text:
http://example.com/webapp/userLoginError.xhtml?j_password=mypassword&j_username=myusername&dswid=8159
so the POST parameters are applied to the redirect by DeltaSpike.
Restrict the initial redirect to GET requests could be a solution for it,
discussed on user mailing list.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
