Reject GET method on j_security_check

Question

Reject GET method on j_security_check

Is there a way to allow POST requests for j_security_check? I want to reject the GET. I use form-based security and want to allow only messages in j_security_check. If the login request is through a GET, the request must be rejected.

+3

java java-ee security websphere weblogic

Shelby Jul 22 '10 at 18:29

source share

4 answers

Newt · Answer 1 · 2013-09-25T11:51:53+0000

Trying to do the same on a JBOSS server (Tomcat) due to JAAS security issues using GET methods, I tried in various ways.

Using the web.xml security restriction on the url / j_security_check template to use only POST - this does not work for the JAAS mechanism, as for regular servlets.
, , GET, j_security_check. - .
, POST j_security_check. , JAAS - .
, JAAS.

:

HttpServletRequest req = (HttpServletRequest) request;
if (req.getMethod().equals("GET")) {
 log.warn("Someone is trying to use a GET method to login!!");                       
 request.getRequestDispatcher("/login.jsp").forward(req, response);
 throw new ServletException("Using a GET method on security check!");
}

.

Doug · Answer 2 · 2010-07-23T19:52:23+0000

, GET. web.xml http. xml , , POST. j_security post.

<security-constraint>
  <display-name>Your security constraint</display-name>
  <web-resource-collection>
     <web-resource-name>Your resource name</web-resource-name>
     <url-pattern>/The URL pattern</url-pattern>
     <http-method>POST</http-method>
  <web-resource-collection>
<security-constraint>

Manglu · Answer 3 · 2010-07-26T03:55:42+0000

.

j_security .

, , ( , )

GET, , . , POST- myaccount ( ), , HTTP- , GET .

, POST, GET .

JohannesB · Answer 4 · 2018-01-22T14:51:31+0000

, :

, POST, j_security_check -/loadbalancer, nginx/apache

. Apache 2.4 :

<LocationMatch ".*j_security_check">
    AllowMethods POST
</LocationMatch>

, j_security_check , HttpServletRequest.login(...)

Reject GET method on j_security_check

More articles: