Hi, I unterstand the reason why you need to keep the get parameters during the redirect, but why the post parameter will be handled in the same way?
If I send the login form, a POST request will be send to "j_security_check". The HTTP response is a 302 (Moved Temporarily) containing the URL " http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid =76" as location attribute. After that response, the browser send a GET request to the URL from the location attribute. It seems that externalContext.getRequestParameterValuesMap() (that is used in JsfUtils#addRequestParameters) contains both POST and GET parameters. Is there any way to disable the redirect for particular pages? Regards, Marco Von: Thomas Andraschko <[email protected]> An: [email protected], Datum: 23.04.2015 09:59 Betreff: Re: POST parameter will be added to URL in some cases Hi, thats actually how the LAZY mode works. The feature is called "initial redirect". We need to add all get params here because if you open e.g. /index.xhtml?userId=1, we do a redirect to the same url with a new dswid. If we would not collect all get params, the userId will be lost. Don't know what JAAS exactly does. Can you give me some input? I don't think that we currently skip the initial redirect on a post. I'm also not sure if it's good in all cases to skip it on a post. Regards, Thomas 2015-04-23 8:04 GMT+02:00 <[email protected]>: > Hi Thomas, > > I've checked and found out that the parameters will be added in > "JsfUtils.addRequestParameters(externalContext, url, true);" within the > method ClientWindowHelper#handleInitialRedirect. > > Regards > Marco > > > > An: > [email protected] > Betreff: > Re: POST parameter will be added to URL in some cases > Hi, > > please debug ClientWindowHelper#handleInitialRedirect and check if the > j_password/j_username will be appended there and come back. > > Regards, > Thomas > > 2015-04-22 15:44 GMT+02:00 <[email protected]>: > > > Hello, > > we are using DeltaSpike in a web application, that is secured by JAAS, > > running on EAP 6.x. The login form sends a POST request to > > "j_security_check". If the login fails due to wrong username/password, > the > > user will be redirect to a login error page configured as " > > form-error-page" in web.xml. In this case, the URL looks like > > " > > > > example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159 > > ". > > The parameters j_username and j_password are added as GET parameters to > > URL containing the values in plaintext. > > If I remove DeltaSpike from the project, the URL looks like > > "example.com/webapp/userLoginError.xhtml" without the parameters > > j_username and j_password . > > After login successfully, this problem doesn't occurs again if a POST > > request was made on a secured page. > > From my point of view it looks like a bug in DeltaSpike, because > > DeltaSpike should only handle the parameter dswid and no other GET/POST > > parameters. > > Can you confirm or do you have any advice how can I prevent it? > > Thank you very much in advance. > > Best regards > > Marco > >
