Hey,
Thanks for your analyse.
I guess the only way out of this is to prevent the use of getparameter() in
case of a HTTP post. This may be ok for us, as our secuId is sent using the
querystring, thus HTTP GET.
I've seen a place where request.getParameter() is used thus: in
FormAuthenticator.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Antonio,
On 3/4/2010 10:58 AM, PAROLINI Antonio wrote:
We are using a custom valve that scan the request parameters (POST
AND GET) . If it find a parameter called secuId with a valide value
, it set the session principals ( a kind of SSO).When
On Thursday 04 March 2010 17:41:17 Christopher Schultz wrote:
It does: calling request.getParameter will consume the request body if
the following are true:
1. The protocol is HTTP or HTTPS
2. The method is POST
3. The Content-Type is application/x-www-form-urlencoded
[4. A call to
