Spring Security
  1. Spring Security
  2. SEC-535

Add option to only allow POST HTTP method for submission of username/password on AuthenticationProcessingFilter

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      To limit the security risks it was decided that the AuthenticationProcessingFilter should only support POST requests. To support this we extended the AuthenticationProcessingFilter. We included 2 methods and added some code to the attemptAuthentication method to facilitate all this.

      private final List<String> supportedMethods = new ArrayList<String>();

      public void setSupportedMethods(String[] supportedMethods) {
      this.supportedMethods.clear();
      this.supportedMethods.addAll(Arrays.asList(supportedMethods));
      }

      protected boolean isMethodSupported(HttpServletRequest request) {
      final String method = request.getMethod();
      return supportedMethods.containts(method);
      }

      Code we added to the attemptAuthentication method

      public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
      if (!isMethodSupported(request))

      { throw new AuthorizationServiceException("Authentication method not supported!"); }

      [... original code ...]
      }

        Activity

        Hide
        Luke Taylor added a comment -

        Marten. Do you think it would be adequate to have a boolean flag which amounts to a "POST-only/no-GET" setting? Fine-grained setting of multiple methods seems like it might be overkill here.

        Show
        Luke Taylor added a comment - Marten. Do you think it would be adequate to have a boolean flag which amounts to a "POST-only/no-GET" setting? Fine-grained setting of multiple methods seems like it might be overkill here.
        Hide
        Jon Osborn added a comment -

        Also, how is POST more secure than GET?

        Show
        Jon Osborn added a comment - Also, how is POST more secure than GET?
        Show
        Luke Taylor added a comment - STW: http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3
        Hide
        Marten Deinum added a comment -

        Took me a while to comment , missed some updates I think.

        A boolean flag with postOnly would be sufficient I guess. I wanted to make it as flexible as possible but to be realistic the only 2 methods going to be used are GET or POST. And I wouldn't use a GET to send my username/password over the wire.

        Show
        Marten Deinum added a comment - Took me a while to comment , missed some updates I think. A boolean flag with postOnly would be sufficient I guess. I wanted to make it as flexible as possible but to be realistic the only 2 methods going to be used are GET or POST. And I wouldn't use a GET to send my username/password over the wire.
        Hide
        Luke Taylor added a comment -

        I've added the "postOnly" flag to AuthenticationProcessingFilter. It defaults to "true" so GET requests will be denied by default, which I think makes sense. We should be encouraging best practices out of the box.

        Show
        Luke Taylor added a comment - I've added the "postOnly" flag to AuthenticationProcessingFilter. It defaults to "true" so GET requests will be denied by default, which I think makes sense. We should be encouraging best practices out of the box.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Marten Deinum
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: