Spring Security
  1. Spring Security
  2. SEC-802

Save POST data to SavedRequest object so that it can be used after authentication

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Duplicate
    • Affects Version/s: 2.0.0
    • Fix Version/s: 3.0.0 M2
    • Component/s: Core
    • Labels:
      None
    • Environment:
      All

      Description

      Currently if a POST request is sent to the server and it requires authentication the body of the post is lost and because of this the default for Spring Security is to redirect to the default page after authentication. A better solution would be to save the body from the post so that it can be used following authentication.

        Issue Links

          Activity

          Hide
          Mark Curtis added a comment -

          Patch for the 2.0.0 release that addresses this issue.

          Show
          Mark Curtis added a comment - Patch for the 2.0.0 release that addresses this issue.
          Hide
          Luke Taylor added a comment -

          It is possible to have a POST request start authentication and pick it up later - webflow uses this (there were one or two issues with parameters and saved requests). It won't automatically use the default target. The parameters, headers etc will be retained, but not the body. Retaining the body would potentially leave the app vulnerable to being easily overloaded by unauthenticated users submitting large requests.

          Show
          Luke Taylor added a comment - It is possible to have a POST request start authentication and pick it up later - webflow uses this (there were one or two issues with parameters and saved requests). It won't automatically use the default target. The parameters, headers etc will be retained, but not the body. Retaining the body would potentially leave the app vulnerable to being easily overloaded by unauthenticated users submitting large requests.
          Hide
          Jon Osborn added a comment -

          Maybe just moving the request from the current 'special' slot in the sesion to a 'saved' slot will meet the requirement?

          Show
          Jon Osborn added a comment - Maybe just moving the request from the current 'special' slot in the sesion to a 'saved' slot will meet the requirement?
          Hide
          Michael Schumann added a comment -

          I would love to see this supported as a configurable option. We have had to modify Spring Secuirty to get this functionality but I hate having to maintain modifications like this. We recognize the potentially vulnerability this feature posses, but the wrath of an unhappy user that spent a great amount of time filling out a form is a greater risk for us.

          Show
          Michael Schumann added a comment - I would love to see this supported as a configurable option. We have had to modify Spring Secuirty to get this functionality but I hate having to maintain modifications like this. We recognize the potentially vulnerability this feature posses, but the wrath of an unhappy user that spent a great amount of time filling out a form is a greater risk for us.
          Hide
          Luke Taylor added a comment -

          @Michael

          Form parameters should already be saved, so there shouldn't be a problem.

          Show
          Luke Taylor added a comment - @Michael Form parameters should already be saved, so there shouldn't be a problem.
          Hide
          Luke Taylor added a comment -

          Closing as superseded by SEC-1167. The introduction of a SavedRequest interface and generating strategy should allow this kind of customization.

          Show
          Luke Taylor added a comment - Closing as superseded by SEC-1167 . The introduction of a SavedRequest interface and generating strategy should allow this kind of customization.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Mark Curtis
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: