[security-dev] SPFilter should check principal in POST calls

Claudio Miranda claudio at claudius.com.br
Thu Oct 23 14:50:06 EDT 2014


Hi, related to PLINK2-20, our application cannot use SP valve, as
there are two authentication mechanism (DatabaseServerLoginModule and
SAML2LoginModule). So we use SPFilter and it the alternative
authentication mechanism is working, except for the jsf requests,
SPFilter intercepts it as POST requests and redirects to IDP, but the
user is already authenticated.

So, there is the following issue.

https://issues.jboss.org/browse/PLINK2-20

Would you allow a contribution to add a servlet filter init param to
optionally add the allowed request methods ?

<init-param>
    <param-name>ALLOWED_METHODS</param-name>
    <param-value>GET,POST</param-value>
</init-param>

And change the below code to allow it ?

        boolean postMethod = "POST".equalsIgnoreCase(request.getMethod());

Defaults to POST to maintain compatibility.

Comments ?

Kind regards
-- 
  Claudio Miranda

claudio at claudius.com.br
http://www.claudius.com.br


More information about the security-dev mailing list