Hi Thomas, I've checked and found out that the parameters will be added in "JsfUtils.addRequestParameters(externalContext, url, true);" within the method ClientWindowHelper#handleInitialRedirect.
Regards Marco An: [email protected] Betreff: Re: POST parameter will be added to URL in some cases Hi, please debug ClientWindowHelper#handleInitialRedirect and check if the j_password/j_username will be appended there and come back. Regards, Thomas 2015-04-22 15:44 GMT+02:00 <[email protected]>: > Hello, > we are using DeltaSpike in a web application, that is secured by JAAS, > running on EAP 6.x. The login form sends a POST request to > "j_security_check". If the login fails due to wrong username/password, the > user will be redirect to a login error page configured as " > form-error-page" in web.xml. In this case, the URL looks like > " > example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159 > ". > The parameters j_username and j_password are added as GET parameters to > URL containing the values in plaintext. > If I remove DeltaSpike from the project, the URL looks like > "example.com/webapp/userLoginError.xhtml" without the parameters > j_username and j_password . > After login successfully, this problem doesn't occurs again if a POST > request was made on a secured page. > From my point of view it looks like a bug in DeltaSpike, because > DeltaSpike should only handle the parameter dswid and no other GET/POST > parameters. > Can you confirm or do you have any advice how can I prevent it? > Thank you very much in advance. > Best regards > Marco
