Hey,
Thanks for your analyse.
I guess the only way out of this is to prevent the use of getparameter() in
case of a HTTP post. This may be ok for us, as our secuId is sent using the
querystring, thus HTTP GET.
I've seen a place where request.getParameter() is used thus: in
FormAuthenticator.
Hello,
We are using a custom valve that scan the request parameters (POST AND GET) .
If it find a parameter called secuId with a valide value , it set the session
principals ( a kind of SSO).When this work most of the times, we have somes
cases where calling the HttpServletRequest