Hi, probably the logic from DeltaSpike is ok, but is there no way to differ POST and GET parameters in JsfUtils#addRequestParameters.
If I don't use DeltaSpike, the response of the POST request to "j_security_check" is the content of "userLoginError.xhtml". If I use DeltaSpike, the response of the POST request is the URL to "userLoginError.xhtml" already containing the POST parameters, the GET request after it is correct, of course. Regards, Marco Von: Thomas Andraschko <[email protected]> An: [email protected], Datum: 23.04.2015 11:30 Betreff: Re: Re: POST parameter will be added to URL in some cases Hi, ok, i see. So the request is also an GET request and logic from DS is actually ok. @Gerhard Any idea how we could implement such an exclude feature? Regards, Thomas 2015-04-23 11:09 GMT+02:00 <[email protected]>: > Hi, > > I unterstand the reason why you need to keep the get parameters during the > redirect, but why the post parameter will be handled in the same way? > > If I send the login form, a POST request will be send to > "j_security_check". The HTTP response is a 302 (Moved Temporarily) > containing the URL " > > http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid > =76" as location attribute. After that response, the browser send a GET > request to the URL from the location attribute. > > It seems that externalContext.getRequestParameterValuesMap() (that is used > in JsfUtils#addRequestParameters) contains both POST and GET parameters. > > Is there any way to disable the redirect for particular pages? > > Regards, > Marco > > > > Von: > Thomas Andraschko <[email protected]> > An: > [email protected], > Datum: > 23.04.2015 09:59 > Betreff: > Re: POST parameter will be added to URL in some cases > > > > Hi, > > thats actually how the LAZY mode works. The feature is called "initial > redirect". > We need to add all get params here because if you open e.g. > /index.xhtml?userId=1, we do a redirect to the same url with a new dswid. > If we would not collect all get params, the userId will be lost. > > Don't know what JAAS exactly does. Can you give me some input? I don't > think that we currently skip the initial redirect on a post. I'm also not > sure if it's good in all cases to skip it on a post. > > Regards, > Thomas > > 2015-04-23 8:04 GMT+02:00 <[email protected]>: > > > Hi Thomas, > > > > I've checked and found out that the parameters will be added in > > "JsfUtils.addRequestParameters(externalContext, url, true);" within the > > method ClientWindowHelper#handleInitialRedirect. > > > > Regards > > Marco > > > > > > > > An: > > [email protected] > > Betreff: > > Re: POST parameter will be added to URL in some cases > > Hi, > > > > please debug ClientWindowHelper#handleInitialRedirect and check if the > > j_password/j_username will be appended there and come back. > > > > Regards, > > Thomas > > > > 2015-04-22 15:44 GMT+02:00 <[email protected]>: > > > > > Hello, > > > we are using DeltaSpike in a web application, that is secured by JAAS, > > > running on EAP 6.x. The login form sends a POST request to > > > "j_security_check". If the login fails due to wrong username/password, > > the > > > user will be redirect to a login error page configured as " > > > form-error-page" in web.xml. In this case, the URL looks like > > > " > > > > > > > > > example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159 > > > ". > > > The parameters j_username and j_password are added as GET parameters > to > > > URL containing the values in plaintext. > > > If I remove DeltaSpike from the project, the URL looks like > > > "example.com/webapp/userLoginError.xhtml" without the parameters > > > j_username and j_password . > > > After login successfully, this problem doesn't occurs again if a POST > > > request was made on a secured page. > > > From my point of view it looks like a bug in DeltaSpike, because > > > DeltaSpike should only handle the parameter dswid and no other > GET/POST > > > parameters. > > > Can you confirm or do you have any advice how can I prevent it? > > > Thank you very much in advance. > > > Best regards > > > Marco > > > > > > >
