[security-dev] SPFilter should check principal in POST calls

Pedro Igor Silva psilva at redhat.com
Thu Oct 23 15:19:05 EDT 2014


Hey Claudio,

    Makes sense for me. Specially if we maintain backward compatibility.

    However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ...
 
    Please, send your contribution if you like to. Contribution is always welcome :)

Regards.

----- Original Message -----
From: "Claudio Miranda" <claudio at claudius.com.br>
To: security-dev at lists.jboss.org
Sent: Thursday, October 23, 2014 4:50:06 PM
Subject: [security-dev] SPFilter should check principal in POST calls

Hi, related to PLINK2-20, our application cannot use SP valve, as
there are two authentication mechanism (DatabaseServerLoginModule and
SAML2LoginModule). So we use SPFilter and it the alternative
authentication mechanism is working, except for the jsf requests,
SPFilter intercepts it as POST requests and redirects to IDP, but the
user is already authenticated.

So, there is the following issue.

https://issues.jboss.org/browse/PLINK2-20

Would you allow a contribution to add a servlet filter init param to
optionally add the allowed request methods ?

<init-param>
    <param-name>ALLOWED_METHODS</param-name>
    <param-value>GET,POST</param-value>
</init-param>

And change the below code to allow it ?

        boolean postMethod = "POST".equalsIgnoreCase(request.getMethod());

Defaults to POST to maintain compatibility.

Comments ?

Kind regards
-- 
  Claudio Miranda

claudio at claudius.com.br
http://www.claudius.com.br
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev


More information about the security-dev mailing list