[security-dev] SPFilter should check principal in POST calls
Claudio Miranda
claudio at claudius.com.br
Wed Oct 29 14:00:59 EDT 2014
On Thu, Oct 23, 2014 at 5:19 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> However, the SPFilter is pretty outdated if you compare with both JBossWeb/Tomcat valves and Undertow mech. Maybe you can reach a blocker in the future ...
>
> Please, send your contribution if you like to. Contribution is always welcome :)
Hi Pedro, I saw that only GET is allowed because every POST is
redirected to IDP in case a saml response is part of the POST request.
So, my modification just checks if there are a post response. I tried
to test in wildfly 9 recent snapshop, but it throws a NPE in
io.undertow.security.impl.SecurityContextImpl.authenticationComplete.
The tests are performed with jboss-picketlink-quickstarts (idp,
sales-post, employee)
https://github.com/picketlink/picketlink/pull/428
Also a minor fix, to correct a wrong wildfly name in
picketlink-wildfly-common artifact name
https://github.com/picketlink/picketlink-bindings/pull/108
--
Claudio Miranda
claudio at claudius.com.br
http://www.claudius.com.br
More information about the security-dev
mailing list