Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-802: Save POST data to SavedRequest object so that it can be used after authentication #1062

Closed
spring-issuemaster opened this Issue Apr 28, 2008 · 6 comments

Comments

Projects
None yet
1 participant

Mark Curtis(Migrated from SEC-802) said:

Currently if a POST request is sent to the server and it requires authentication the body of the post is lost and because of this the default for Spring Security is to redirect to the default page after authentication. A better solution would be to save the body from the post so that it can be used following authentication.

Mark Curtis said:

Patch for the 2.0.0 release that addresses this issue.

Luke Taylor said:

It is possible to have a POST request start authentication and pick it up later – webflow uses this (there were one or two issues with parameters and saved requests). It won’t automatically use the default target. The parameters, headers etc will be retained, but not the body. Retaining the body would potentially leave the app vulnerable to being easily overloaded by unauthenticated users submitting large requests.

Jon Osborn said:

Maybe just moving the request from the current ‘special’ slot in the sesion to a ‘saved’ slot will meet the requirement?

Michael Schumann said:

I would love to see this supported as a configurable option. We have had to modify Spring Secuirty to get this functionality but I hate having to maintain modifications like this. We recognize the potentially vulnerability this feature posses, but the wrath of an unhappy user that spent a great amount of time filling out a form is a greater risk for us.

Luke Taylor said:

@Michael

Form parameters should already be saved, so there shouldn’t be a problem.

Luke Taylor said:

Closing as superseded by SEC-1167. The introduction of a SavedRequest interface and generating strategy should allow this kind of customization.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment