[security-dev] SPFilter should check principal in POST calls

Thursday, 23 October 2014

Hi, related to PLINK2-20, our application cannot use SP valve, as
there are two authentication mechanism (DatabaseServerLoginModule and
SAML2LoginModule). So we use SPFilter and it the alternative
authentication mechanism is working, except for the jsf requests,
SPFilter intercepts it as POST requests and redirects to IDP, but the
user is already authenticated.

So, there is the following issue.

https://issues.jboss.org/browse/PLINK2-20

Would you allow a contribution to add a servlet filter init param to
optionally add the allowed request methods ?

<init-param>
    <param-name>ALLOWED_METHODS</param-name>
    <param-value>GET,POST</param-value>
</init-param>

And change the below code to allow it ?

        boolean postMethod = "POST".equalsIgnoreCase(request.getMethod());

Defaults to POST to maintain compatibility.

Comments ?

Kind regards
-- 
  Claudio Miranda

claudio(a)claudius.com.br
http://www.claudius.com.br

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[security-dev] SPFilter should check principal in POST calls