Mark Curtis (Migrated from SEC-802) said:
Currently if a POST request is sent to the server and it requires authentication the body of the post is lost and because of this the default for Spring Security is to redirect to the default page after authentication. A better solution would be to save the body from the post so that it can be used following authentication.
Mark Curtis said:
Patch for the 2.0.0 release that addresses this issue.
Luke Taylor said:
It is possible to have a POST request start authentication and pick it up later – webflow uses this (there were one or two issues with parameters and saved requests). It won’t automatically use the default target. The parameters, headers etc will be retained, but not the body. Retaining the body would potentially leave the app vulnerable to being easily overloaded by unauthenticated users submitting large requests.
Jon Osborn said:
Maybe just moving the request from the current ‘special’ slot in the sesion to a ‘saved’ slot will meet the requirement?
Michael Schumann said:
I would love to see this supported as a configurable option. We have had to modify Spring Secuirty to get this functionality but I hate having to maintain modifications like this. We recognize the potentially vulnerability this feature posses, but the wrath of an unhappy user that spent a great amount of time filling out a form is a greater risk for us.
Form parameters should already be saved, so there shouldn’t be a problem.
Closing as superseded by SEC-1167. The introduction of a SavedRequest interface and generating strategy should allow this kind of customization.