开发者

Reject GET Method on j_security_check

Is there a way to only allow POST requests to j_security_check? I want to reject GETs. I am using Form Based security and want to only allow Posts to j_security_check. If a login request is made via a GET, the request should be rejec开发者_如何学Cted.


Having been trying to do the same on a JBOSS(Tomcat) server due to security concerns of JAAS using GET methods I attempted various ways.

  1. Using a web.xml security constraint on the url pattern /j_security_check to only use POST - This doesn't work for JAAS mechanism as it would for normal servlets.

  2. Passing login details from the login page to an intermediate servlet which checked the request method and if not a GET then forwarding on to j_security_check. - This did'nt work and was over complicated.

  3. Creating a Filter that would check the request method and only invoke on a POST message to j_security_check - This didn't work as JAAS is deeper in web container and is called before the filter mechanism.

  4. Creating a Valve, which DOES get called before the JAAS.

By adding the following in the invoke method:

HttpServletRequest req = (HttpServletRequest) request;
if (req.getMethod().equals("GET")) {
 log.warn("Someone is trying to use a GET method to login!!");                       
 request.getRequestDispatcher("/login.jsp").forward(req, response);
 throw new ServletException("Using a GET method on security check!");
}

This does work.


Yes you can reject the GET request. In the web.xml file in the security constraint section you can specifiy the http methods allowed. In the following xml the only method allowed for this security constraint is the POST method. j_security check will only allow the post method.

<security-constraint>
  <display-name>Your security constraint</display-name>
  <web-resource-collection>
     <web-resource-name>Your resource name</web-resource-name>
     <url-pattern>/The URL pattern</url-pattern>
     <http-method>POST</http-method>
  <web-resource-collection>
<security-constraint>


You would need to rephrase your question.

j_security check is typically used in the login page.

If you request a secured resource and you were not authenticated, you are automatically redirected to the login page (assuming the app is configured to use Form Based security)

If your resource should not be challenged for GET requests, follow what Doug has mentioned. For example, if you want to secure POST calls to myaccount (the pattern for a Servlet) then you would be redirected to the login page only when a HTTP Post is made while the GET request would be accepted even without a user authentication.

The implication is you want to allow authenticated users access to POST request while GET requests are permitted to everyone.


An alternative approach I am considering to implement:

  • Blocking all but POST requests to j_security_check in a reverse-proxy/loadbalancer like nginx/apache

E.g. on Apache 2.4 this works:

<LocationMatch ".*j_security_check">
    AllowMethods POST
</LocationMatch>
  • If I would need more customization I could reimplement j_security_check with my own servlet using HttpServletRequest.login(...)
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜