Hi, thats actually how the LAZY mode works. The feature is called "initial redirect". We need to add all get params here because if you open e.g. /index.xhtml?userId=1, we do a redirect to the same url with a new dswid. If we would not collect all get params, the userId will be lost.
Don't know what JAAS exactly does. Can you give me some input? I don't think that we currently skip the initial redirect on a post. I'm also not sure if it's good in all cases to skip it on a post. Regards, Thomas 2015-04-23 8:04 GMT+02:00 <[email protected]>: > Hi Thomas, > > I've checked and found out that the parameters will be added in > "JsfUtils.addRequestParameters(externalContext, url, true);" within the > method ClientWindowHelper#handleInitialRedirect. > > Regards > Marco > > > > An: > [email protected] > Betreff: > Re: POST parameter will be added to URL in some cases > Hi, > > please debug ClientWindowHelper#handleInitialRedirect and check if the > j_password/j_username will be appended there and come back. > > Regards, > Thomas > > 2015-04-22 15:44 GMT+02:00 <[email protected]>: > > > Hello, > > we are using DeltaSpike in a web application, that is secured by JAAS, > > running on EAP 6.x. The login form sends a POST request to > > "j_security_check". If the login fails due to wrong username/password, > the > > user will be redirect to a login error page configured as " > > form-error-page" in web.xml. In this case, the URL looks like > > " > > > > example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159 > > ". > > The parameters j_username and j_password are added as GET parameters to > > URL containing the values in plaintext. > > If I remove DeltaSpike from the project, the URL looks like > > "example.com/webapp/userLoginError.xhtml" without the parameters > > j_username and j_password . > > After login successfully, this problem doesn't occurs again if a POST > > request was made on a secured page. > > From my point of view it looks like a bug in DeltaSpike, because > > DeltaSpike should only handle the parameter dswid and no other GET/POST > > parameters. > > Can you confirm or do you have any advice how can I prevent it? > > Thank you very much in advance. > > Best regards > > Marco > >
