Hey,
Thanks for your analyse.
I guess the only way out of this is to prevent the use of getparameter() in
case of a HTTP post. This may be ok for us, as our secuId is sent using the
querystring, thus HTTP GET.
I've seen a place where request.getParameter() is used thus: in
FormAuthenticator.
On Thursday 04 March 2010 17:41:17 Christopher Schultz wrote:
> It does: calling request.getParameter will consume the request body if
> the following are true:
>
> 1. The protocol is HTTP or HTTPS
> 2. The method is POST
> 3. The Content-Type is application/x-www-form-urlencoded
> [4. A call to r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Antonio,
On 3/4/2010 10:58 AM, PAROLINI Antonio wrote:
> We are using a custom valve that scan the request parameters (POST
> AND GET) . If it find a parameter called "secuId" with a valide value
> , it set the session principals ( a kind of SSO).When
Hello,
We are using a custom valve that scan the request parameters (POST AND GET) .
If it find a parameter called "secuId" with a valide value , it set the session
principals ( a kind of SSO).When this work most of the times, we have somes
cases where calling the HttpServletRequest .getParamet
