[
https://issues.apache.org/jira/browse/DELTASPIKE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gerhard Petracek updated DELTASPIKE-880:
----------------------------------------
Assignee: Thomas Andraschko
> Restrict initial redirect to GET requests
> -----------------------------------------
>
> Key: DELTASPIKE-880
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-880
> Project: DeltaSpike
> Issue Type: Improvement
> Components: JSF-Module
> Affects Versions: 1.0.2, 1.3.0
> Environment: JBoss EAP 6.x, JSF 2.1, JAAS
> Reporter: Marco Bulau
> Assignee: Thomas Andraschko
>
> We are using DeltaSpike in a web application that is secured by JAAS.
> If a user tries to login with wrong username or password, the user will be
> forwarded to a login error page configured in web.xml (form-error-page). The
> URL of the error page contains the POST parameters from login form
> (j_username and j_password) in plain text:
> http://example.com/webapp/userLoginError.xhtml?j_password=mypassword&j_username=myusername&dswid=8159
> so the POST parameters are applied to the redirect by DeltaSpike.
> Restrict the initial redirect to GET requests could be a solution for it,
> discussed on user mailing list.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
