Hi, I just debugged the method DefaultClientWindow#getOrCreateWindowId. If I start my application and try to login with incorrect data, the if statement "if (this.jsfModuleConfig.isInitialRedirectEnabled() && ! facesContext.isPostback())" is true and ClientWindowHelper#handleInitialRedirect will be called. Within this method, the line JsfUtils#addRequestParameters still adds the "j_username" and "j_password" parameters to URL.
If there is anything else I can try or verify, please let me know. Thank you very much. Regards, Marco Von: Thomas Andraschko <[email protected]> An: [email protected], Datum: 28.04.2015 21:16 Betreff: Re: Re: Re: Re: POST parameter will be added to URL in some cases Hi, i commited a solution. Please give it a try. Regards, THomas 2015-04-23 13:33 GMT+02:00 Thomas Andraschko <[email protected]>: > ahhh, yes. sorry. > > > 2015-04-23 13:29 GMT+02:00 <[email protected]>: > >> Yes, I will crate an issue. I think you mean that the initial redirect >> will be restricted to GET requests, or not? >> >> Regards, >> Marco >> >> >> >> >> Von: >> Thomas Andraschko <[email protected]> >> An: >> [email protected], >> Datum: >> 23.04.2015 13:11 >> Betreff: >> Re: Re: Re: POST parameter will be added to URL in some cases >> >> >> >> Restrict to GET params sounds good. >> Could you please create a issue Marco? >> >> 2015-04-23 12:25 GMT+02:00 Gerhard Petracek <[email protected]>: >> >> > @thomas: >> > we could introduce a parameter-filter and provide a (deactivatable) >> > implementation which is aware of jaas >> > or we just restrict the initial redirect to get-requests as we did it in >> > codi. >> > >> > regards, >> > gerhard >> > >> > >> > >> > 2015-04-23 11:43 GMT+02:00 <[email protected]>: >> > >> > > Hi, >> > > >> > > probably the logic from DeltaSpike is ok, but is there no way to >> differ >> > > POST and GET parameters in JsfUtils#addRequestParameters. >> > > >> > > If I don't use DeltaSpike, the response of the POST request to >> > > "j_security_check" is the content of "userLoginError.xhtml". If I use >> > > DeltaSpike, the response of the POST request is the URL to >> > > "userLoginError.xhtml" already containing the POST parameters, the GET >> > > request after it is correct, of course. >> > > >> > > Regards, >> > > Marco >> > > >> > > >> > > >> > > >> > > Von: >> > > Thomas Andraschko <[email protected]> >> > > An: >> > > [email protected], >> > > Datum: >> > > 23.04.2015 11:30 >> > > Betreff: >> > > Re: Re: POST parameter will be added to URL in some cases >> > > >> > > >> > > >> > > Hi, >> > > >> > > ok, i see. >> > > So the request is also an GET request and logic from DS is actually >> ok. >> > > >> > > @Gerhard >> > > Any idea how we could implement such an exclude feature? >> > > >> > > Regards, >> > > Thomas >> > > >> > > 2015-04-23 11:09 GMT+02:00 <[email protected]>: >> > > >> > > > Hi, >> > > > >> > > > I unterstand the reason why you need to keep the get parameters >> during >> > > the >> > > > redirect, but why the post parameter will be handled in the same >> way? >> > > > >> > > > If I send the login form, a POST request will be send to >> > > > "j_security_check". The HTTP response is a 302 (Moved Temporarily) >> > > > containing the URL " >> > > > >> > > > >> > > >> > > >> > >> >> http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid >> >> > > >> > > > =76" as location attribute. After that response, the browser send a >> GET >> > > > request to the URL from the location attribute. >> > > > >> > > > It seems that externalContext.getRequestParameterValuesMap() (that >> is >> > > used >> > > > in JsfUtils#addRequestParameters) contains both POST and GET >> > parameters. >> > > > >> > > > Is there any way to disable the redirect for particular pages? >> > > > >> > > > Regards, >> > > > Marco >> > > > >> > > > >> > > > >> > > > Von: >> > > > Thomas Andraschko <[email protected]> >> > > > An: >> > > > [email protected], >> > > > Datum: >> > > > 23.04.2015 09:59 >> > > > Betreff: >> > > > Re: POST parameter will be added to URL in some cases >> > > > >> > > > >> > > > >> > > > Hi, >> > > > >> > > > thats actually how the LAZY mode works. The feature is called >> "initial >> > > > redirect". >> > > > We need to add all get params here because if you open e.g. >> > > > /index.xhtml?userId=1, we do a redirect to the same url with a new >> > > dswid. >> > > > If we would not collect all get params, the userId will be lost. >> > > > >> > > > Don't know what JAAS exactly does. Can you give me some input? I >> don't >> > > > think that we currently skip the initial redirect on a post. I'm >> also >> > > not >> > > > sure if it's good in all cases to skip it on a post. >> > > > >> > > > Regards, >> > > > Thomas >> > > > >> > > > 2015-04-23 8:04 GMT+02:00 <[email protected]>: >> > > > >> > > > > Hi Thomas, >> > > > > >> > > > > I've checked and found out that the parameters will be added in >> > > > > "JsfUtils.addRequestParameters(externalContext, url, true);" >> within >> > > the >> > > > > method ClientWindowHelper#handleInitialRedirect. >> > > > > >> > > > > Regards >> > > > > Marco >> > > > > >> > > > > >> > > > > >> > > > > An: >> > > > > [email protected] >> > > > > Betreff: >> > > > > Re: POST parameter will be added to URL in some cases >> > > > > Hi, >> > > > > >> > > > > please debug ClientWindowHelper#handleInitialRedirect and check if >> > the >> > > > > j_password/j_username will be appended there and come back. >> > > > > >> > > > > Regards, >> > > > > Thomas >> > > > > >> > > > > 2015-04-22 15:44 GMT+02:00 <[email protected]>: >> > > > > >> > > > > > Hello, >> > > > > > we are using DeltaSpike in a web application, that is secured by >> > > JAAS, >> > > > > > running on EAP 6.x. The login form sends a POST request to >> > > > > > "j_security_check". If the login fails due to wrong >> > > username/password, >> > > > > the >> > > > > > user will be redirect to a login error page configured as " >> > > > > > form-error-page" in web.xml. In this case, the URL looks like >> > > > > > " >> > > > > > >> > > > > >> > > > > >> > > > >> > > > >> > > >> > > >> > >> >> example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159 >> > > > > > ". >> > > > > > The parameters j_username and j_password are added as GET >> > parameters >> > > > to >> > > > > > URL containing the values in plaintext. >> > > > > > If I remove DeltaSpike from the project, the URL looks like >> > > > > > "example.com/webapp/userLoginError.xhtml" without the >> parameters >> > > > > > j_username and j_password . >> > > > > > After login successfully, this problem doesn't occurs again if a >> > > POST >> > > > > > request was made on a secured page. >> > > > > > From my point of view it looks like a bug in DeltaSpike, because >> > > > > > DeltaSpike should only handle the parameter dswid and no other >> > > > GET/POST >> > > > > > parameters. >> > > > > > Can you confirm or do you have any advice how can I prevent it? >> > > > > > Thank you very much in advance. >> > > > > > Best regards >> > > > > > Marco >> > > > > >> > > > > >> > > > >> > > > >> > > > >> > > >> > > >> > > >> > >> >> >> >
