Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-535: Add option to only allow POST HTTP method for submission of username/password on AuthenticationProcessingFilter #796

spring-issuemaster opened this Issue Aug 26, 2007 · 5 comments


None yet
1 participant

Marten Deinum(Migrated from SEC-535) said:

To limit the security risks it was decided that the AuthenticationProcessingFilter should only support POST requests. To support this we extended the AuthenticationProcessingFilter. We included 2 methods and added some code to the attemptAuthentication method to facilitate all this.

private final List supportedMethods = new ArrayList();

public void setSupportedMethods(String[] supportedMethods) {

protected boolean isMethodSupported(HttpServletRequest request) {
final String method = request.getMethod();
return supportedMethods.containts(method);

Code we added to the attemptAuthentication method

public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
if (!isMethodSupported(request)) {
throw new AuthorizationServiceException(“Authentication method not supported!”);
[… original code …]

Luke Taylor said:

Marten. Do you think it would be adequate to have a boolean flag which amounts to a “POST-only/no-GET” setting? Fine-grained setting of multiple methods seems like it might be overkill here.

Jon Osborn said:

Also, how is POST more secure than GET?

Luke Taylor said:



Marten Deinum said:

Took me a while to comment :), missed some updates I think.

A boolean flag with postOnly would be sufficient I guess. I wanted to make it as flexible as possible but to be realistic the only 2 methods going to be used are GET or POST. And I wouldn’t use a GET to send my username/password over the wire.

Luke Taylor said:

I’ve added the “postOnly” flag to AuthenticationProcessingFilter. It defaults to “true” so GET requests will be denied by default, which I think makes sense. We should be encouraging best practices out of the box.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment