You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Peter Ledbrook (JIRA)" <ji...@apache.org> on 2010/01/27 09:33:34 UTC
[jira] Created: (SHIRO-132) Handle POST requests for
unauthenticated users
Handle POST requests for unauthenticated users
----------------------------------------------
Key: SHIRO-132
URL: https://issues.apache.org/jira/browse/SHIRO-132
Project: Shiro
Issue Type: Improvement
Components: Authentication (log-in)
Affects Versions: Incubation
Reporter: Peter Ledbrook
Fix For: 1.0
We currently have a SavedRequest class that can handle GETs that need to be redirected to the login page. It doesn't work for POSTs though.
I have developed a solution for the Grails Shiro Plugin that could serve as the basis for a more generic Shiro implementation:
http://fisheye.codehaus.org/changelog/grails-plugins/grails-shiro/trunk?cs=58931
The idea is to save the POST information, redirect to the login page, and then after a successful login, redirect back to the originally requested URL. The GET request is then replaced with the saved POST request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Created: (SHIRO-132) Handle POST requests for
unauthenticated users
Posted by Peter Ledbrook <pe...@cacoethes.co.uk>.
> This might open up a security hole - I'm not sure. Anyone please
> comment if you have information one way or the other.
>
> This sounds like a duplicate of SHIRO-22 [1] Peter, Could you please confirm?
Yes, same issue.
> The reason SHIRO-22 is not yet implemented is because I don't think we
> came to a consensus on its implications. That is, is this a smart
> thing to do? It sounds like it could be a potential security risk to
> me - what if the post represents a credit card submission?
What are the risks?
> Would a potentially better solution be to translate a saved POST
> request to newly constructed GET request that has all the request
> parameters set? This way a form could be shown again pre-populated so
> the user can choose to submit themselves?
Hmmm...not sure that works particularly well with <textarea> elements.
File upload is another tricky problem. I know LinkedIn populate a page
with the form data (hidden) which then submits itself (via
Javascript).
Cheers,
Peter
Re: [jira] Created: (SHIRO-132) Handle POST requests for
unauthenticated users
Posted by Les Hazlewood <lh...@apache.org>.
Hi all,
This might open up a security hole - I'm not sure. Anyone please
comment if you have information one way or the other.
This sounds like a duplicate of SHIRO-22 [1] Peter, Could you please confirm?
The reason SHIRO-22 is not yet implemented is because I don't think we
came to a consensus on its implications. That is, is this a smart
thing to do? It sounds like it could be a potential security risk to
me - what if the post represents a credit card submission?
Would a potentially better solution be to translate a saved POST
request to newly constructed GET request that has all the request
parameters set? This way a form could be shown again pre-populated so
the user can choose to submit themselves?
Thoughts?
- Les
[1] https://issues.apache.org/jira/browse/SHIRO-22
On Wed, Jan 27, 2010 at 3:33 AM, Peter Ledbrook (JIRA) <ji...@apache.org> wrote:
> Handle POST requests for unauthenticated users
> ----------------------------------------------
>
> Key: SHIRO-132
> URL: https://issues.apache.org/jira/browse/SHIRO-132
> Project: Shiro
> Issue Type: Improvement
> Components: Authentication (log-in)
> Affects Versions: Incubation
> Reporter: Peter Ledbrook
> Fix For: 1.0
>
>
> We currently have a SavedRequest class that can handle GETs that need to be redirected to the login page. It doesn't work for POSTs though.
>
> I have developed a solution for the Grails Shiro Plugin that could serve as the basis for a more generic Shiro implementation:
>
> http://fisheye.codehaus.org/changelog/grails-plugins/grails-shiro/trunk?cs=58931
>
> The idea is to save the POST information, redirect to the login page, and then after a successful login, redirect back to the originally requested URL. The GET request is then replaced with the saved POST request.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>
[jira] Commented: (SHIRO-132) Handle POST requests for
unauthenticated users
Posted by "Kalle Korhonen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12833517#action_12833517 ]
Kalle Korhonen commented on SHIRO-132:
--------------------------------------
Interesting idea and might be useful but unless there are any takers, I'm going to reschedule this for 1.0.1
> Handle POST requests for unauthenticated users
> ----------------------------------------------
>
> Key: SHIRO-132
> URL: https://issues.apache.org/jira/browse/SHIRO-132
> Project: Shiro
> Issue Type: Improvement
> Components: Authentication (log-in)
> Affects Versions: Incubation
> Reporter: Peter Ledbrook
> Fix For: 1.0.0
>
>
> We currently have a SavedRequest class that can handle GETs that need to be redirected to the login page. It doesn't work for POSTs though.
> I have developed a solution for the Grails Shiro Plugin that could serve as the basis for a more generic Shiro implementation:
> http://fisheye.codehaus.org/changelog/grails-plugins/grails-shiro/trunk?cs=58931
> The idea is to save the POST information, redirect to the login page, and then after a successful login, redirect back to the originally requested URL. The GET request is then replaced with the saved POST request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHIRO-132) Handle POST requests for
unauthenticated users
Posted by "Kalle Korhonen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kalle Korhonen updated SHIRO-132:
---------------------------------
Fix Version/s: (was: 1.0.0)
1.0.1
> Handle POST requests for unauthenticated users
> ----------------------------------------------
>
> Key: SHIRO-132
> URL: https://issues.apache.org/jira/browse/SHIRO-132
> Project: Shiro
> Issue Type: Improvement
> Components: Authentication (log-in)
> Affects Versions: Incubation
> Reporter: Peter Ledbrook
> Fix For: 1.0.1
>
>
> We currently have a SavedRequest class that can handle GETs that need to be redirected to the login page. It doesn't work for POSTs though.
> I have developed a solution for the Grails Shiro Plugin that could serve as the basis for a more generic Shiro implementation:
> http://fisheye.codehaus.org/changelog/grails-plugins/grails-shiro/trunk?cs=58931
> The idea is to save the POST information, redirect to the login page, and then after a successful login, redirect back to the originally requested URL. The GET request is then replaced with the saved POST request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.