[security-dev] SPFilter should check principal in POST calls

Pedro Igor Silva psilva at redhat.com
Wed Oct 29 14:05:17 EDT 2014

Thanks for your contribution Claudio.

But as I mentioned before, I did some changes to the SPFilter to get it in sync with the JBossWeb valve. Please, take a look at the PR associated with the issue below


I've also added a new page on Confluence describing how to use it.

Would be nice if you could test it and see if it works for you.


----- Original Message -----
From: "Claudio Miranda" <claudio at claudius.com.br>
To: "Pedro Igor Silva" <psilva at redhat.com>
Cc: security-dev at lists.jboss.org
Sent: Wednesday, October 29, 2014 4:00:59 PM
Subject: Re: [security-dev] SPFilter should check principal in POST calls

On Thu, Oct 23, 2014 at 5:19 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ...
>     Please, send your contribution if you like to. Contribution is always welcome :)

Hi Pedro, I saw that only GET is allowed because every POST is
redirected to IDP in case a saml response is part of the POST request.
So, my modification just checks if there are a post response. I tried
to test in wildfly 9 recent snapshop, but it throws a NPE in
The tests are performed with jboss-picketlink-quickstarts (idp,
sales-post, employee)


Also a minor fix, to correct a wrong wildfly name in
picketlink-wildfly-common artifact name


  Claudio Miranda

claudio at claudius.com.br

More information about the security-dev mailing list