postOnly in UsernamePasswordAuthenticationFilter

[kresters]

Hi Guys,

Here in my controller I did a register and after that I want the system to redirect to /j_spring_security_check with my latest generated username and password. But I noticed that in version 3.0.3, UsernamePasswordAuthentication
introduced a new property 'postOnly' by default is set to true.

And is there a handier way that I can easily overwritten this property instead of configure my own bean in security configuration (namespace based)? I think this should be an property also present in the schema (http/form-login) that allows custom overwritten.

Anyone has better idea?

Kind regards,
Derek Zheng

IJO Technologies / MYCO suite
http://www.mycosuite.com
http://www.ijotechnologies.com

[Luke Taylor]

You shouldn't allow GET requests for authentication. This exposes the password information and is a security risk.

[kresters]

Hi Luke,

Probably you are right, but why then there is possibility we are allowed to overwritten this field? Even if I just want a simple way (or a direct) way of doing that.


IJO Technologies / MYCO suite
http://www.mycosuite.com
http://www.ijotechnologies.com

[Luke Taylor]

Previous versions didn't check the request method, but the check was introduced to make sure that people weren't accidentally using a GET request. Since this could break existing code, a parameter was introduced to control the behaviour.

When it comes down to it, you are "allowed" to do anything you want . If you want to add sensitive parameters to the URL then you can. But it's not something that will be added to the namespace, for example.

You can override the property using a post-processor, as described in the FAQ, or you can explicitly declare the filter bean. But you shouldn't do it, it's a bad idea.

[kresters]

Hi Luke,

Thanks for you advise.

Derek Zheng

IJO Technologies / MYCO suite
http://www.mycosuite.com
http://www.ijotechnologies.com