Hello,
we are using DeltaSpike in a web application, that is secured by JAAS,
running on EAP 6.x. The login form sends a POST request to
"j_security_check". If the login fails due to wrong username/password, the
user will be redirect to a login error page configured as "
form-error-page" in web.xml. In this case, the URL looks like
"example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159".
The parameters j_username and j_password are added as GET parameters to
URL containing the values in plaintext.
If I remove DeltaSpike from the project, the URL looks like
"example.com/webapp/userLoginError.xhtml" without the parameters
j_username and j_password .
After login successfully, this problem doesn't occurs again if a POST
request was made on a secured page.
>From my point of view it looks like a bug in DeltaSpike, because
DeltaSpike should only handle the parameter dswid and no other GET/POST
parameters.
Can you confirm or do you have any advice how can I prevent it?
Thank you very much in advance.
Best regards
Marco
