[keycloak-dev] Only redirect on GET
Bill Burke
bburke at redhat.com
Mon Jan 5 09:55:33 EST 2015
On 1/5/2015 8:47 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 5 January, 2015 2:31:18 PM
>> Subject: Re: [keycloak-dev] Only redirect on GET
>>
>> One problem that I fixed was that the adapter wasn't correctly saving
>> non-GET requests in the Http Session. Only problem is that Jetty can
>> only support saving POST form requests. I need to put in a test for 878
>> for PUT requests...
>
> Saving non-GET requests in the HTTP session opens up an easy DoS attack though. Someone can just POST a few big forms to fill up the servers memory.
>
> Would it not be simpler to just do login redirect on GET?
>
All servlet containers do this for form login. They also all have
configurable limits of what can be cached. Default for undertow is like
16k I think (or is it 1k, i don't remember).
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list