Re: [security-dev] SPFilter should check principal in POST calls

Hi, Thanks for the response. We are using Picketlink as SP(service provider) and ADFS server as IDP. I tried adding the SP filter in web.xml of our java application, but not successful. Still issue persists. Please can you let me know, is it possible to have a call, so that can discuss and clarify on the configuration settings and about SP. Thanks a lot for the support. Regards, Manoharr. -----Original Message----- From: security-dev-bounces(a)lists.jboss.org [mailto:security-dev-bounces@lists.jboss.org] On Behalf Of Pedro Igor Silva Sent: Friday, October 24, 2014 12:49 AM To: Claudio Miranda Cc: security-dev(a)lists.jboss.org Subject: Re: [security-dev] SPFilter should check principal in POST calls Hey Claudio, Makes sense for me. Specially if we maintain backward compatibility. However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ... Please, send your contribution if you like to. Contribution is always welcome :) Regards. ----- Original Message ----- From: "Claudio Miranda" <claudio(a)claudius.com.br&gt; To: security-dev(a)lists.jboss.org Sent: Thursday, October 23, 2014 4:50:06 PM Subject: [security-dev] SPFilter should check principal in POST calls Hi, related to PLINK2-20, our application cannot use SP valve, as there are two authentication mechanism (DatabaseServerLoginModule and SAML2LoginModule). So we use SPFilter and it the alternative authentication mechanism is working, except for the jsf requests, SPFilter intercepts it as POST requests and redirects to IDP, but the user is already authenticated. So, there is the following issue. https://issues.jboss.org/browse/PLINK2-20 Would you allow a contribution to add a servlet filter init param to optionally add the allowed request methods ? <init-param> <param-name>ALLOWED_METHODS</param-name> <param-value>GET,POST</param-value> </init-param> And change the below code to allow it ? boolean postMethod = "POST".equalsIgnoreCase(request.getMethod()); Defaults to POST to maintain compatibility. Comments ? Kind regards -- Claudio Miranda claudio(a)claudius.com.br http://www.claudius.com.br _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev The information in this e-mail and any attachments is confidential and may be legally privileged. It is intended solely for the addressee or addressees. Any use or disclosure of the contents of this e-mail/attachments by a not intended recipient is unauthorized and may be unlawful. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of TEMENOS. We recommend that you check this e-mail and any attachments against viruses. TEMENOS accepts no liability for any damage caused by any malicious code or virus transmitted by this e-mail.