3 Replies Latest reply on Mar 1, 2013 4:41 PM by anil.saldhana

    SPFilter checking principal in non POST methods only

    vladimiralbis

      Hello and many thanks for your answers.

       

      I have configured a JSF application as SP-standalone using SPFilter. After sucessfull login at IDP and granting access i noticed that when performing a POST in SP it is being redirected against IDP with a saml request (user is already authenticated). After checking SPFilter i see that if it's not a POST method first checks "if we are already authenticated" and if this is true filterChain performs a doFilter (wihtout redirecting to IDP). But in POST methods there is no check "if we are already authenticated".

       

      Is this correct? Does this mean that i cannot perform a POST method within SP (submitting a form) wihout being redirected to IDP?

        • 1. Re: SPFilter checking principal in non POST methods only
          anil.saldhana

          I thought for the standalone mode, we only supported the SAML2 HTTP/POST binding.  I need to check what the problem here may be.

          • 2. Re: SPFilter checking principal in non POST methods only
            jorisva

            The problem is that the SPFilter always intercepts and redirects every POST request to the SP webapplication. The following code from SPFilter shows that a logged on user is only checked with GET requests to the SP webapplication. I think this check should also be done for POST methods. Thus is a user is authenticated via SAML, there is no additional redirect to the SP.

                  if (!postMethod && !logOutRequest)
                  {
                     //Check if we are already authenticated
                     if (userPrincipal != null)
                     {
                        filterChain.doFilter(servletRequest, servletResponse);
                        return;
                     }

            In other words, in every POST request in my webapplication (for exmaple, filling in a web form and submit the request) redirects to the IDP, authenticates again (with IDP cookie) and a SMAL POST is performedn again and the webform submit data is gone. Is there another way to support this case? Thus performing POST in SP servlets using the SPFilter?

            Many thanks in advance!

            • 3. Re: SPFilter checking principal in non POST methods only
              anil.saldhana