You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@deltaspike.apache.org by bu...@dakosy.de on 2015/04/22 15:44:00 UTC

POST parameter will be added to URL in some cases

Hello,
we are using DeltaSpike in a web application, that is secured by JAAS, 
running on EAP 6.x. The login form sends a POST request to 
"j_security_check". If the login fails due to wrong username/password, the 
user will be redirect to a login error page configured as "
form-error-page" in web.xml. In this case, the URL looks like 
"example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159". 
The parameters j_username and j_password are added as GET parameters to 
URL containing the values in plaintext.
If I remove DeltaSpike from the project, the URL looks like 
"example.com/webapp/userLoginError.xhtml" without the parameters 
j_username and j_password .
After login successfully, this problem doesn't occurs again if a POST 
request was made on a secured page.
>From my point of view it looks like a bug in DeltaSpike, because 
DeltaSpike should only handle the parameter dswid and no other GET/POST 
parameters.
Can you confirm or do you have any advice how can I prevent it?
Thank you very much in advance.
Best regards
Marco

Re: POST parameter will be added to URL in some cases

Posted by Thomas Andraschko <an...@gmail.com>.

Hi,

please debug ClientWindowHelper#handleInitialRedirect and check if the
j_password/j_username will be appended there and come back.

Regards,
Thomas

2015-04-22 15:44 GMT+02:00 <bu...@dakosy.de>:

> Hello,
> we are using DeltaSpike in a web application, that is secured by JAAS,
> running on EAP 6.x. The login form sends a POST request to
> "j_security_check". If the login fails due to wrong username/password, the
> user will be redirect to a login error page configured as "
> form-error-page" in web.xml. In this case, the URL looks like
> "
> example.com/webapp/userLoginError.xhtml?j_password=password&j_username=username&dswid=-8159
> ".
> The parameters j_username and j_password are added as GET parameters to
> URL containing the values in plaintext.
> If I remove DeltaSpike from the project, the URL looks like
> "example.com/webapp/userLoginError.xhtml" without the parameters
> j_username and j_password .
> After login successfully, this problem doesn't occurs again if a POST
> request was made on a secured page.
> From my point of view it looks like a bug in DeltaSpike, because
> DeltaSpike should only handle the parameter dswid and no other GET/POST
> parameters.
> Can you confirm or do you have any advice how can I prevent it?
> Thank you very much in advance.
> Best regards
> Marco