SEC-535: Add option to only allow POST HTTP method for submission of username/password on AuthenticationProcessingFilter #796

Closed
spring-issuemaster opened this Issue Aug 26, 2007 · 5 comments

1 participant

@spring-issuemaster

Marten Deinum (Migrated from SEC-535) said:

To limit the security risks it was decided that the AuthenticationProcessingFilter should only support POST requests. To support this we extended the AuthenticationProcessingFilter. We included 2 methods and added some code to the attemptAuthentication method to facilitate all this.

private final List supportedMethods = new ArrayList();

public void setSupportedMethods(String[] supportedMethods) {
this.supportedMethods.clear();
this.supportedMethods.addAll(Arrays.asList(supportedMethods));
}

protected boolean isMethodSupported(HttpServletRequest request) {
final String method = request.getMethod();
return supportedMethods.containts(method);
}

Code we added to the attemptAuthentication method

public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
if (!isMethodSupported(request)) {
throw new AuthorizationServiceException(“Authentication method not supported!”);
}
[… original code …]
}

@spring-issuemaster

Luke Taylor said:

Marten. Do you think it would be adequate to have a boolean flag which amounts to a “POST-only/no-GET” setting? Fine-grained setting of multiple methods seems like it might be overkill here.

@spring-issuemaster

Jon Osborn said:

Also, how is POST more secure than GET?

@spring-issuemaster

Luke Taylor said:

STW:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3

@spring-issuemaster

Marten Deinum said:

Took me a while to comment :), missed some updates I think.

A boolean flag with postOnly would be sufficient I guess. I wanted to make it as flexible as possible but to be realistic the only 2 methods going to be used are GET or POST. And I wouldn’t use a GET to send my username/password over the wire.

@spring-issuemaster

Luke Taylor said:

I’ve added the “postOnly” flag to AuthenticationProcessingFilter. It defaults to “true” so GET requests will be denied by default, which I think makes sense. We should be encouraging best practices out of the box.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment