Hi all, This might open up a security hole - I'm not sure. Anyone please comment if you have information one way or the other.
This sounds like a duplicate of SHIRO-22 [1] Peter, Could you please confirm? The reason SHIRO-22 is not yet implemented is because I don't think we came to a consensus on its implications. That is, is this a smart thing to do? It sounds like it could be a potential security risk to me - what if the post represents a credit card submission? Would a potentially better solution be to translate a saved POST request to newly constructed GET request that has all the request parameters set? This way a form could be shown again pre-populated so the user can choose to submit themselves? Thoughts? - Les [1] https://issues.apache.org/jira/browse/SHIRO-22 On Wed, Jan 27, 2010 at 3:33 AM, Peter Ledbrook (JIRA) <[email protected]> wrote: > Handle POST requests for unauthenticated users > ---------------------------------------------- > > Key: SHIRO-132 > URL: https://issues.apache.org/jira/browse/SHIRO-132 > Project: Shiro > Issue Type: Improvement > Components: Authentication (log-in) > Affects Versions: Incubation > Reporter: Peter Ledbrook > Fix For: 1.0 > > > We currently have a SavedRequest class that can handle GETs that need to be > redirected to the login page. It doesn't work for POSTs though. > > I have developed a solution for the Grails Shiro Plugin that could serve as > the basis for a more generic Shiro implementation: > > http://fisheye.codehaus.org/changelog/grails-plugins/grails-shiro/trunk?cs=58931 > > The idea is to save the POST information, redirect to the login page, and > then after a successful login, redirect back to the originally requested URL. > The GET request is then replaced with the saved POST request. > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. > >
