SEC-802: Save POST data to SavedRequest object so that it can be used after authentication #1062

Closed
spring-issuemaster opened this Issue Apr 28, 2008 · 6 comments

1 participant

@spring-issuemaster

Mark Curtis (Migrated from SEC-802) said:

Currently if a POST request is sent to the server and it requires authentication the body of the post is lost and because of this the default for Spring Security is to redirect to the default page after authentication. A better solution would be to save the body from the post so that it can be used following authentication.

@spring-issuemaster

Mark Curtis said:

Patch for the 2.0.0 release that addresses this issue.

@spring-issuemaster

Luke Taylor said:

It is possible to have a POST request start authentication and pick it up later – webflow uses this (there were one or two issues with parameters and saved requests). It won’t automatically use the default target. The parameters, headers etc will be retained, but not the body. Retaining the body would potentially leave the app vulnerable to being easily overloaded by unauthenticated users submitting large requests.

@spring-issuemaster

Jon Osborn said:

Maybe just moving the request from the current ‘special’ slot in the sesion to a ‘saved’ slot will meet the requirement?

@spring-issuemaster

Michael Schumann said:

I would love to see this supported as a configurable option. We have had to modify Spring Secuirty to get this functionality but I hate having to maintain modifications like this. We recognize the potentially vulnerability this feature posses, but the wrath of an unhappy user that spent a great amount of time filling out a form is a greater risk for us.

@spring-issuemaster

Luke Taylor said:

@Michael

Form parameters should already be saved, so there shouldn’t be a problem.

@spring-issuemaster

Luke Taylor said:

Closing as superseded by SEC-1167. The introduction of a SavedRequest interface and generating strategy should allow this kind of customization.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment