Re: [keycloak-dev] Only redirect on GET
On 1/5/2015 8:47 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 5 January, 2015 2:31:18 PM
> Subject: Re: [keycloak-dev] Only redirect on GET
>
> One problem that I fixed was that the adapter wasn't correctly saving
> non-GET requests in the Http Session. Only problem is that Jetty can
> only support saving POST form requests. I need to put in a test for 878
> for PUT requests...
Saving non-GET requests in the HTTP session opens up an easy DoS attack though. Someone
can just POST a few big forms to fill up the servers memory.
Would it not be simpler to just do login redirect on GET?
All servlet containers do this for form login. They also all have
configurable limits of what can be cached. Default for undertow is like
16k I think (or is it 1k, i don't remember).
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com