Comments (13)
Ben Alex said:
Switch to 1.0.0, as this change will not affect backward compatibility.
from spring-security.
Scott McCrory said:
Andrey, just so I understand it right – is this patch to allow an Acegi-protected application to essentially process the original request after it forces the user to reauthenticate? In other words, could you call it “resume after authentication” or something that facilitates “deep linking” into an application?
Thanks,
Scott
from spring-security.
Andrey Grebnev said:
Scott, YES this patch allows to resume original request (inlcuding simple POST fields) after FORM-based (re)authentication.
from spring-security.
Scott McCrory said:
Great! I’ll be glad to integrate this one for 1.0.0. End users love this sort of thing, especially when they get interupted in the middle of a several-page wizard series. Good idea Andrey!
from spring-security.
Scott McCrory said:
Andrey, in SavedRequest.java, you have “FIXME – Currently, this object has no mechanism to save or restore the data content of the request, although it does save request parameters so that a POST transaction can be faithfully duplicated.” Can you summarize the impact of not being able to restore data contents and a recommended resolution for it?
Thanks, Scott
from spring-security.
Andrey Grebnev said:
Scott, this solution cannot save binary data of uploaded file, it can only save simple string POST parameters On one hand it is badly to lose such type of data. But on the other hand we cannot store it in session because the data can be very big and this solution can open big security problem (overloading by sending big data to restricted resource).
from spring-security.
Scott McCrory said:
Andrey, OK, understood & thanks. We can leave that for someone else to implement if they need it (one could add a variable limiting the amount of data allowed). In the meanwhile I’ll remove the “FIXME” tag and just comment its limitations. I don’t think many apps would need to support upload resumption after reauthentication anyway. My only concern would be that users might expect auto-resumption across the board.
from spring-security.
Scott McCrory said:
FYI I merged the code into Acegi’s sandbox package for Ben to review. Looks pretty functional to me, but there might be an opportunity to fold in the FastHttpDateFormat and Enumerator classes since they’ll likely be limited in their reuse.
from spring-security.
Ben Alex said:
I can see how SecurityEnforcementFilter saves the SavedHttpServletRequest. Except how does that saved request ever get fired again? I don’t see the role of SecurityContextHolderAwareRequestWrapper. Not everyone uses this, so the redirection functionality ideally shouldn’t depend on or require it.
Given this code would modify the way in which requests are processed, I think we should leave this out of 1.0.0 and ensure some unit tests get written that prove the behaviour. I’d also like to see SecurityEnforcementFilter no longer need to store the ACEGI_SECURITY_TARGET_URL_KEY, and instead just store the SavedHttpServletRequest.
from spring-security.
Matt Raible said:
Is it possible to get this fixed for 1.0? It’s causing issues with Roller and could really upset some folks if they lose their posts.
http://opensource2.atlassian.com/projects/roller/browse/ROL-936
from spring-security.
Ben Alex said:
I’ll take a look and see if it’s easy to do this for 1.0.0 final. If it blocks the release, I’ll have to postphone it until a later release. We really need unit tests to include features.
from spring-security.
Ben Alex said:
Refactored and checked into SVN. Tests pass. Also tested with Contacts Sample. For those interested in doing a test:
1. Build the JAR from SVN, build Contacts-filter, and deploy to Tomcat
2. Click “manage” and login
3. Click “add” so you see the new page
4. Right click “home” and “open in a new tab” (assume FireFox)
5. Click “logout” in the newly-opened tab
6. Go back to the first tab and fill in the form, clicking “add”
7. You will be prompted to login, so do that
8. The POST will succeed, and the list of contacts (with your new contact at the bottom) will appear
from spring-security.
Paul Benedict said:
I see two limitations in the current implementation.
1. Data sent by POST should be re-generated as a POST. Most applications prefer POST for semi-sensitive data because the data is not written into server logs. UrlUtils.buildFullRequestUrl() simply turns this into a GET, which should make some security-minded folks think twice about this approach.
2. Instead of a redirect, there should be an option to forward the saved request. The request intercepted is most likely to do another forward to generate the view after the processing the data. There is no need to redirect in these cases. For those who know this is how their applications are structured, it’s better to just get the request dispatcher and forward the original request along.
from spring-security.
Related Issues (20)
- Security Context is not updating HOT 4
- Fail when any filter chain declared after an AnyRequestMatcher filter chain HOT 2
- Automate check of expected branch version
- Back-Channel Logout fails with cookie-based CSRF protection HOT 1
- Consider configuring `OAuth2AuthorizationRequestResolver` by publishing a bean
- LoginPageGeneratingWebFilter类把网页依赖的地址写死了 HOT 1
- NullPointerException when GrantedAuthority.getAuthority() returns null HOT 3
- Mention all required dependencies in LDAP documentation
- Mention all required dependencies in LDAP documentation
- Mention all required dependencies in LDAP documentation
- Endpoint returns a 500, instead of 403 status code when the user does not have required permission HOT 2
- fallback for method based authorization HOT 2
- The docs reference #7537 which is closed
- Find Roles for Authority using the RoleHierarchy? HOT 2
- Investigate why `checkSamples` is running slow
- Upgrade to Spring Framework 6.2.0-M4
- OpenID Connect Oauth2 Logout Token not using custom jwt alg
- Remove Deprecated Usages for Spring LDAP HOT 1
- Adapt to form data not adding charset if it is UTF-8 HOT 1
- Support multiple OpaqueTokenIntrospector HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-security.