[security-dev] SPFilter should check principal in POST calls
Pedro Igor Silva
psilva at redhat.com
Thu Oct 23 15:19:05 EDT 2014
Hey Claudio,
Makes sense for me. Specially if we maintain backward compatibility.
However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ...
Please, send your contribution if you like to. Contribution is always welcome :)
Regards.
----- Original Message -----
From: "Claudio Miranda" <claudio at claudius.com.br>
To: security-dev at lists.jboss.org
Sent: Thursday, October 23, 2014 4:50:06 PM
Subject: [security-dev] SPFilter should check principal in POST calls
Hi, related to PLINK2-20, our application cannot use SP valve, as
there are two authentication mechanism (DatabaseServerLoginModule and
SAML2LoginModule). So we use SPFilter and it the alternative
authentication mechanism is working, except for the jsf requests,
SPFilter intercepts it as POST requests and redirects to IDP, but the
user is already authenticated.
So, there is the following issue.
https://issues.jboss.org/browse/PLINK2-20
Would you allow a contribution to add a servlet filter init param to
optionally add the allowed request methods ?
<init-param>
<param-name>ALLOWED_METHODS</param-name>
<param-value>GET,POST</param-value>
</init-param>
And change the below code to allow it ?
boolean postMethod = "POST".equalsIgnoreCase(request.getMethod());
Defaults to POST to maintain compatibility.
Comments ?
Kind regards
--
Claudio Miranda
claudio at claudius.com.br
http://www.claudius.com.br
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list