[
https://issues.apache.org/jira/browse/SLING-5824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15366120#comment-15366120
]
Bertrand Delacretaz commented on SLING-5824:
--------------------------------------------
bq. This to me seem like a great bypass for out CSRF protection
Another good reason not to do this then!
[~christanto] at this point I think making your alias scripts cleaner is a much
better solution, you might for example add a "forwarder" object in the
scripting context via a Sling {{BindingsValuesProvider}}, with fluent methods
like {{forwarder.for(request.response).aliasToGetMethod()}} to make things
clean and explicit.
> Servlet Filter to do POST tunnelling to GET
> -------------------------------------------
>
> Key: SLING-5824
> URL: https://issues.apache.org/jira/browse/SLING-5824
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Reporter: Christanto
>
> Sometimes there is a case where the request URL is very long. For example,
> during advanced search where there are many fields.
> To accommodate this, the request is tunneled through POST, such that the
> client do a POST request and then the server convert it to GET, so that the
> other code in the chain only knows about GET.
> So far the custom POST handler needs to be created specifically for this:
> {code}
> slingRequest.getRequestDispatcher(resource).forward(new
> HttpServletRequestWrapper(request) {
> @Override
> public String getMethod() {
> return "GET";
> }
> }, response);
> {code}
> Since this is generic and to avoid creating a custom POST handler every time
> for this, it makes sense to implement this in Sling using Servlet Filter. For
> example, a special parameter can be introduced for this purpose named
> "\_method\_". So the filter will check for this parameter and wrap the
> request accordingly (also remove the "\_method\_"). This is similar to
> "\_charset\_" parameter for encoding.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
