views:

87

answers:

3

Is there a way to only allow POST requests to j_security_check? I want to reject GETs.

A: 

Yes you can reject the GET request. In the web.xml file in the security constraint section you can specifiy the http methods allowed. In the following xml the only method allowed for this security constraint is the POST method. j_security check will only allow the post method.

<security-constraint>
  <display-name>Your security constraint</display-name>
  <web-resource-collection>
     <web-resource-name>Your resource name</web-resource-name>
     <url-pattern>/The URL pattern</url-pattern>
     <http-method>POST</http-method>
  <web-resource-collection>
<security-constraint>
Doug
A: 

Hi,

You would need to rephrase your question.

j_security check is typically used in the login page.

If you request a secured resource and you were not authenticated, you are automatically redirected to the login page (assuming the app is configured to use Form Based security)

If your resource should not be challenged for GET requests, follow what Doug has mentioned. For eg, if you want to secure POST calls to myaccount (the pattern for a Servlet) then you would be redirected to the login page only when a HTTP Post is made while the GET request would be accepted even without a user authentication.

The implication is you want to allow authenticated users access to POST request while GET requests are permitted to everyone.

HTH Manglu

Manglu
A: 

I am using Form Based security and want to only allow Posts to j_security_check. If a login request is made via a GET, the request should be rejected.

Shelby