Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Reject GET Method on j_security_check

Tags:

java

security

jakarta-ee

websphere

weblogic

Is there a way to only allow POST requests to j_security_check? I want to reject GETs. I am using Form Based security and want to only allow Posts to j_security_check. If a login request is made via a GET, the request should be rejected.

like image 470
Shelby Avatar asked Oct 17 '25 19:10

Shelby

2 Answers

Having been trying to do the same on a JBOSS(Tomcat) server due to security concerns of JAAS using GET methods I attempted various ways.

  1. Using a web.xml security constraint on the url pattern /j_security_check to only use POST - This doesn't work for JAAS mechanism as it would for normal servlets.

  2. Passing login details from the login page to an intermediate servlet which checked the request method and if not a GET then forwarding on to j_security_check. - This did'nt work and was over complicated.

  3. Creating a Filter that would check the request method and only invoke on a POST message to j_security_check - This didn't work as JAAS is deeper in web container and is called before the filter mechanism.

  4. Creating a Valve, which DOES get called before the JAAS.

By adding the following in the invoke method: 

HttpServletRequest req = (HttpServletRequest) request;
if (req.getMethod().equals("GET")) {
 log.warn("Someone is trying to use a GET method to login!!");                       
 request.getRequestDispatcher("/login.jsp").forward(req, response);
 throw new ServletException("Using a GET method on security check!");
}

This does work.

like image 132
Newt Avatar answered Oct 20 '25 08:10

Newt

Yes you can reject the GET request. In the web.xml file in the security constraint section you can specifiy the http methods allowed. In the following xml the only method allowed for this security constraint is the POST method. j_security check will only allow the post method.

<security-constraint>
  <display-name>Your security constraint</display-name>
  <web-resource-collection>
     <web-resource-name>Your resource name</web-resource-name>
     <url-pattern>/The URL pattern</url-pattern>
     <http-method>POST</http-method>
  <web-resource-collection>
<security-constraint>
like image 38
Doug Avatar answered Oct 20 '25 09:10

Doug
Sign in to Comment

Related questions

How to reference static variables using EL 3.0?
How do I Get memberOf attribute from ldap DirContextOperations
I think I have come up with the worst way to compare two dates; is it possible to make it better?
Sorting a hand of poker
Creating a ConcurrentHashMap that supports "snapshots"
JAVA. Using reflection for deep copy object
How do I check if a given hour and minute (int's) falls within or is equal to any range within a given set of ranges of times?
possibly lossy conversion from int to byte
Count the semiprime numbers in the given range [a..b]
Spring Security - BcryptPasswordEncoder
Quick way of creating a random subset of an array using IntStream
incompatible types: java.lang.Object cannot be converted to java.lang.String?
Measuring Performance of a java algorithm
Has CompletableFuture.allOf() any advantage over a loop with CompletableFuture.join() when just waiting for completion?
Testcontainers DockerComposeContainer withEnv
Get a subset of LinkedHashMap and preserve the order

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!