Announcement Announcement Module
Collapse
No announcement yet.
postOnly in UsernamePasswordAuthenticationFilter Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • postOnly in UsernamePasswordAuthenticationFilter

    Hi Guys,

    Here in my controller I did a register and after that I want the system to redirect to /j_spring_security_check with my latest generated username and password. But I noticed that in version 3.0.3, UsernamePasswordAuthentication
    introduced a new property 'postOnly' by default is set to true.

    And is there a handier way that I can easily overwritten this property instead of configure my own bean in security configuration (namespace based)? I think this should be an property also present in the schema (http/form-login) that allows custom overwritten.

    Anyone has better idea?

    Kind regards,
    Derek Zheng

    IJO Technologies / MYCO suite
    http://www.mycosuite.com
    http://www.ijotechnologies.com

  • #2
    You shouldn't allow GET requests for authentication. This exposes the password information and is a security risk.

    Comment


    • #3
      Hi Luke,

      Probably you are right, but why then there is possibility we are allowed to overwritten this field? Even if I just want a simple way (or a direct) way of doing that.


      IJO Technologies / MYCO suite
      http://www.mycosuite.com
      http://www.ijotechnologies.com
      Last edited by kresters; Feb 23rd, 2011, 01:02 PM. Reason: Change my signature

      Comment


      • #4
        Previous versions didn't check the request method, but the check was introduced to make sure that people weren't accidentally using a GET request. Since this could break existing code, a parameter was introduced to control the behaviour.

        When it comes down to it, you are "allowed" to do anything you want . If you want to add sensitive parameters to the URL then you can. But it's not something that will be added to the namespace, for example.

        You can override the property using a post-processor, as described in the FAQ, or you can explicitly declare the filter bean. But you shouldn't do it, it's a bad idea.

        Comment


        • #5
          Hi Luke,

          Thanks for you advise.

          Derek Zheng

          IJO Technologies / MYCO suite
          http://www.mycosuite.com
          http://www.ijotechnologies.com

          Comment

          Working...
          X