[keycloak-dev] Only redirect on GET

Stian Thorgersen stian at redhat.com
Mon Jan 5 08:47:44 EST 2015



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, 5 January, 2015 2:31:18 PM
> Subject: Re: [keycloak-dev] Only redirect on GET
> 
> One problem that I fixed was that the adapter wasn't correctly saving
> non-GET requests in the Http Session.  Only problem is that Jetty can
> only support saving POST form requests.  I need to put in a test for 878
> for PUT requests...

Saving non-GET requests in the HTTP session opens up an easy DoS attack though. Someone can just POST a few big forms to fill up the servers memory.

Would it not be simpler to just do login redirect on GET?

> 
> BTW, I think all their GWT problems are a result of not setting up GWT
> to send HTTP requests with auth headers.
> 
> On 1/5/2015 7:18 AM, Stian Thorgersen wrote:
> > With regards to:
> >
> > https://issues.jboss.org/browse/KEYCLOAK-881
> > https://issues.jboss.org/browse/KEYCLOAK-878
> >
> > Are they not both caused by the adapter redirecting to login page on
> > non-GET requests? Would it not make sense to only do a redirect for GET
> > requests and return a 401 for other request types?
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list