Announcement Announcement Module
No announcement yet.
Spring Security + CAS destroys POSTs Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security + CAS destroys POSTs


    Im doing a project with PHP/Java bridge (please dont ask) and Spring Security with CAS from Jasig.

    The PHP is handled by servlet that does the heavy lifting that is mapped to "*.php".

    Im submitting following very simple form :
    <form action="index.php" method="POST">
      First Name: <input type="text" name="first_name">
      <br />
      Last Name: <input type="text" name="last_name" />
      <input type="submit" value="Submit" />
    So the lifecycle would be something like :
    1) Browser submits request
    2) Spring Security intercepts and asks CAS for ticket validation
    3) The PHP servlet gets the HttpServletRequest to work with

    The problem is that when I submit the form above the servlet gets empty request !!!
    No fields, no values, just empty !!!!

    Following things are to consider :
    1) If I use GET it works
    2) If I use UPLOAD (which is a POST) it works fine
    3) If I use JSP with the same form it works fine

    It really seems that Spring Security does something to the request that makes the POST
    data disappeared - but it should not touch the request at all !!!
    And it does it only to form POST requests comming from PHP file.
    I have tried to replace the PHP servlet with my own servlet but it still gets no data from HttpServletRequest!

    Im desperate so if anyone has any ideas, please, let me know.

    Thanks, Zbynek

  • #2
    I've been trying to debug more and when I replace DelegatingFilterProxy with my subclass than the ServletRequest passed into doFilter method contains the POST data untouched !

    This leads me to believe the data from request are being stripped away between DelegatingFilterProxy and my Servlet => in depth of Spring Security.

    I'll do some more digging but if anyone has any idea of why are the POST data even touched by Spring, dont keep it for urself


    • #3
      Found it !

      For anyone and everyone : org.jasig.cas.client.session.SingleSignOutFilter is to blame !!!

      I'll be digging to find why and what exactly it does but disabling it in my security context solved the problem
      and now PHP servlet is getting proper POST with proper values.