Re: [keycloak-dev] Only redirect on GET
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 5 January, 2015 2:31:18 PM
Subject: Re: [keycloak-dev] Only redirect on GET
One problem that I fixed was that the adapter wasn't correctly saving
non-GET requests in the Http Session. Only problem is that Jetty can
only support saving POST form requests. I need to put in a test for 878
for PUT requests...
Saving non-GET requests in the HTTP session opens up an easy DoS attack though. Someone
can just POST a few big forms to fill up the servers memory.
Would it not be simpler to just do login redirect on GET?
BTW, I think all their GWT problems are a result of not setting up GWT
to send HTTP requests with auth headers.
On 1/5/2015 7:18 AM, Stian Thorgersen wrote:
> With regards to:
>
> https://issues.jboss.org/browse/KEYCLOAK-881
> https://issues.jboss.org/browse/KEYCLOAK-878
>
> Are they not both caused by the adapter redirecting to login page on
> non-GET requests? Would it not make sense to only do a redirect for GET
> requests and return a 401 for other request types?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev