Hi, yes, it works very well.
With this check, the POST parameters won't be added to URL anymore. And the "POST http://localhost:8080/myapp/j_security_check"; contains the content of userLoginError.xhtml instead of the state "302 Moved Temporarily" with the location " http://localhost:8080/myapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=3161 ". >From my point of view the issue is fixed. Thank you very much for your quick assistance. Von: Thomas Andraschko <[email protected]> An: [email protected], Datum: 06.05.2015 20:17 Betreff: Re: Re: Re: Re: Re: Re: POST parameter will be added to URL in some cases Hi, I added a better check. Please give it a try again. 2015-05-06 7:53 GMT+02:00 <[email protected]>: > Hi, > > it seems that this is a post request. The login form is defined as > > "<form action="j_security_check" id="loginForm" method="post">..." > > and if I try to login with incorrect data, in Firebug (tab network) I can > see a "POST http://localhost:8080/myapp/j_security_check"; with a state > "302 Moved Temporarily" containing the location " > > http://localhost:8080/myapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=3161 > ". > > If I debug the method ClientWindowHelper#handleInitialRedirect the value > of request.getMethod() is POST when > ClientWindowHelper#handleInitialRedirect is called. > > > > Von: > Thomas Andraschko <[email protected]> > An: > [email protected], > Datum: > 05.05.2015 21:16 > Betreff: > Re: Re: Re: Re: Re: POST parameter will be added to URL in some cases > > > > Hi, > > i see. Are you sure this is a post? > I think we could also check "POST".equals(request.getMethod());. > > 2015-05-05 17:45 GMT+02:00 <[email protected]>: > > > Hi, > > > > I just debugged the method DefaultClientWindow#getOrCreateWindowId. If I > > start my application and try to login with incorrect data, the if > > statement "if (this.jsfModuleConfig.isInitialRedirectEnabled() && ! > > facesContext.isPostback())" is true and > > ClientWindowHelper#handleInitialRedirect will be called. Within this > > method, the line JsfUtils#addRequestParameters still adds the > "j_username" > > and "j_password" parameters to URL. > > > > If there is anything else I can try or verify, please let me know. > > > > Thank you very much. > > > > Regards, > > Marco > > > > > > > > > > Von: > > Thomas Andraschko <[email protected]> > > An: > > [email protected], > > Datum: > > 28.04.2015 21:16 > > Betreff: > > Re: Re: Re: Re: POST parameter will be added to URL in some cases > > > > > > > > Hi, > > > > i commited a solution. > > Please give it a try. > > > > Regards, > > THomas > > > > 2015-04-23 13:33 GMT+02:00 Thomas Andraschko > > <[email protected]>: > > > > > ahhh, yes. sorry. > > > > > > > > > 2015-04-23 13:29 GMT+02:00 <[email protected]>: > > > > > >> Yes, I will crate an issue. I think you mean that the initial > redirect > > >> will be restricted to GET requests, or not? > > >> > > >> Regards, > > >> Marco > > >> > > >> > > >> > > >> > > >> Von: > > >> Thomas Andraschko <[email protected]> > > >> An: > > >> [email protected], > > >> Datum: > > >> 23.04.2015 13:11 > > >> Betreff: > > >> Re: Re: Re: POST parameter will be added to URL in some cases > > >> > > >> > > >> > > >> Restrict to GET params sounds good. > > >> Could you please create a issue Marco? > > >> > > >> 2015-04-23 12:25 GMT+02:00 Gerhard Petracek > > <[email protected]>: > > >> > > >> > @thomas: > > >> > we could introduce a parameter-filter and provide a (deactivatable) > > >> > implementation which is aware of jaas > > >> > or we just restrict the initial redirect to get-requests as we did > it > > in > > >> > codi. > > >> > > > >> > regards, > > >> > gerhard > > >> > > > >> > > > >> > > > >> > 2015-04-23 11:43 GMT+02:00 <[email protected]>: > > >> > > > >> > > Hi, > > >> > > > > >> > > probably the logic from DeltaSpike is ok, but is there no way to > > >> differ > > >> > > POST and GET parameters in JsfUtils#addRequestParameters. > > >> > > > > >> > > If I don't use DeltaSpike, the response of the POST request to > > >> > > "j_security_check" is the content of "userLoginError.xhtml". If I > > use > > >> > > DeltaSpike, the response of the POST request is the URL to > > >> > > "userLoginError.xhtml" already containing the POST parameters, > the > > GET > > >> > > request after it is correct, of course. > > >> > > > > >> > > Regards, > > >> > > Marco > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > Von: > > >> > > Thomas Andraschko <[email protected]> > > >> > > An: > > >> > > [email protected], > > >> > > Datum: > > >> > > 23.04.2015 11:30 > > >> > > Betreff: > > >> > > Re: Re: POST parameter will be added to URL in some cases > > >> > > > > >> > > > > >> > > > > >> > > Hi, > > >> > > > > >> > > ok, i see. > > >> > > So the request is also an GET request and logic from DS is > actually > > >> ok. > > >> > > > > >> > > @Gerhard > > >> > > Any idea how we could implement such an exclude feature? > > >> > > > > >> > > Regards, > > >> > > Thomas > > >> > > > > >> > > 2015-04-23 11:09 GMT+02:00 <[email protected]>: > > >> > > > > >> > > > Hi, > > >> > > > > > >> > > > I unterstand the reason why you need to keep the get parameters > > >> during > > >> > > the > > >> > > > redirect, but why the post parameter will be handled in the > same > > >> way? > > >> > > > > > >> > > > If I send the login form, a POST request will be send to > > >> > > > "j_security_check". The HTTP response is a 302 (Moved > > Temporarily) > > >> > > > containing the URL " > > >> > > > > > >> > > > > > >> > > > > >> > > > > >> > > > >> > > >> > > > > > > http://example.com/userLoginError.xhtml?j_password=mypassword&j_username=myuser&dswid > > > > > >> > > >> > > > > >> > > > =76" as location attribute. After that response, the browser > send > > a > > >> GET > > >> > > > request to the URL from the location attribute. > > >> > > > > > >> > > > It seems that externalContext.getRequestParameterValuesMap() > > (that > > >> is > > >> > > used > > >> > > > in JsfUtils#addRequestParameters) contains both POST and GET > > >> > parameters. > > >> > > > > > >> > > > Is there any way to disable the redirect for particular pages? > > >> > > > > > >> > > > Regards, > > >> > > > Marco > > >> > > > > > >> > > > > > >> > > > > > >> > > > Von: > > >> > > > Thomas Andraschko <[email protected]> > > >> > > > An: > > >> > > > [email protected], > > >> > > > Datum: > > >> > > > 23.04.2015 09:59 > > >> > > > Betreff: > > >> > > > Re: POST parameter will be added to URL in some cases > > >> > > > > > >> > > > > > >> > > > > > >> > > > Hi, > > >> > > > > > >> > > > thats actually how the LAZY mode works. The feature is called > > >> "initial > > >> > > > redirect". > > >> > > > We need to add all get params here because if you open e.g. > > >> > > > /index.xhtml?userId=1, we do a redirect to the same url with a > > new > > >> > > dswid. > > >> > > > If we would not collect all get params, the userId will be > lost. > > >> > > > > > >> > > > Don't know what JAAS exactly does. Can you give me some input? > I > > >> don't > > >> > > > think that we currently skip the initial redirect on a post. > I'm > > >> also > > >> > > not > > >> > > > sure if it's good in all cases to skip it on a post. > > >> > > > > > >> > > > Regards, > > >> > > > Thomas > > >> > > > > > >> > > > 2015-04-23 8:04 GMT+02:00 <[email protected]>: > > >> > > > > > >> > > > > Hi Thomas, > > >> > > > > > > >> > > > > I've checked and found out that the parameters will be added > in > > >> > > > > "JsfUtils.addRequestParameters(externalContext, url, true);" > > >> within > > >> > > the > > >> > > > > method ClientWindowHelper#handleInitialRedirect. > > >> > > > > > > >> > > > > Regards > > >> > > > > Marco > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > An: > > >> > > > > [email protected] > > >> > > > > Betreff: > > >> > > > > Re: POST parameter will be added to URL in some cases > > >> > > > > Hi, > > >> > > > > > > >> > > > > please debug ClientWindowHelper#handleInitialRedirect and > check > > if > > >> > the > > >> > > > > j_password/j_username will be appended there and come back. > > >> > > > > > > >> > > > > Regards, > > >> > > > > Thomas > > >> > > > > > > >> > > > > 2015-04-22 15:44 GMT+02:00 <[email protected]>: > > >> > > > > > > >> > > > > > Hello, > > >> > > > > > we are using DeltaSpike in a web application, that is > secured > > by > > >> > > JAAS, > > >> > > > > > running on EAP 6.x. The login form sends a POST request to > > >> > > > > > "j_security_check". If the login fails due to wrong > > >> > > username/password, > > >> > > > > the > > >> > > > > > user will be redirect to a login error page configured as " > > >> > > > > > form-error-page" in web.xml. In this case, the URL looks > like > > >> > > > > > " > > >> > > > > > > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > > >> > > > > >> > > > > >> > > > >> > > >> > > > > > > example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159 > > >> > > > > > ". > > >> > > > > > The parameters j_username and j_password are added as GET > > >> > parameters > > >> > > > to > > >> > > > > > URL containing the values in plaintext. > > >> > > > > > If I remove DeltaSpike from the project, the URL looks like > > >> > > > > > "example.com/webapp/userLoginError.xhtml" without the > > >> parameters > > >> > > > > > j_username and j_password . > > >> > > > > > After login successfully, this problem doesn't occurs again > > if a > > >> > > POST > > >> > > > > > request was made on a secured page. > > >> > > > > > From my point of view it looks like a bug in DeltaSpike, > > because > > >> > > > > > DeltaSpike should only handle the parameter dswid and no > > other > > >> > > > GET/POST > > >> > > > > > parameters. > > >> > > > > > Can you confirm or do you have any advice how can I prevent > > it? > > >> > > > > > Thank you very much in advance. > > >> > > > > > Best regards > > >> > > > > > Marco > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > >> > > > > >> > > > > >> > > > >> > > >> > > >> > > > > > > > > > > > >
