Win a copy of Hands On Software Engineering with Python this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Bear Bibeault
  • Knute Snortum
  • Liutauras Vilda
Sheriffs:
  • Tim Cooke
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Tim Moores
  • Frits Walraven
  • Ron McLeod
  • Ganesh Patekar
  • salvin francis
Bartenders:
  • Tim Holloway
  • Carey Brown
  • Stephan van Hulst

SAML, Zuul & Blocking POST Requests  RSS feed

 
Ranch Hand
Posts: 179
13
Eclipse IDE Hibernate Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi folks,

There are a couple of URLs of a web service application my team supports that are sending back HTTP 200 responses to HTTP POST requests made to the URLs.  If I wanted to block everything but a HTTP GET request to a URL, what would be the best way to do it?  Our application uses Zuul filtering but I tried implementing a filter class and it didn't solve the problem because our application uses Spring SAML for access and authorisation.  When I stepped through the code I saw that any POST request made to a URL went through SAML before reaching any of the Zuul filter code.  The SAML code seems to be what's sending back HTTP 200 in response.

Any help is appreciated.
 
Bartender
Posts: 1868
81
Android Chrome IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Two quick questions:
  • Which version of Spring Security are you using?
  • Have you tried to see the quick start solutions provided by Spring?
       - Maybe with some changes you could get that to work on a separate project
  •  
    Pete Letkeman
    Bartender
    Posts: 1868
    81
    Android Chrome IntelliJ IDE Java MySQL Database
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    This posting on StackOverflow.com may have a solution that works for you
    https://stackoverflow.com/questions/30366405/how-to-disable-spring-security-for-particular-url.

    I quickly looked at the sample quickstart project provided by Spring and in their securityContext.xml file they have the following lines (among many others):

    Maybe you can do the same thing for the URL that you don't want secured?
     
    Simon Ritchie
    Ranch Hand
    Posts: 179
    13
    Eclipse IDE Hibernate Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator

    Pete Letkeman wrote:Two quick questions:

  • Which version of Spring Security are you using?
  • Have you tried to see the quick start solutions provided by Spring?
       - Maybe with some changes you could get that to work on a separate project


  • Thanks for the replies, Pete.

    We're currently using Spring Boot 1.5 for security and I looked at a couple of the quick start solutions.  We do have code that grants access to resources to certain users so there might be a solution I can incorporate there.  The problem is that piece of code controls access to the whole application so I'm reluctant to make any changes at such a sensitive point, if it can be avoided.

    Pete Letkeman wrote:This posting on StackOverflow.com may have a solution that works for you
    https://stackoverflow.com/questions/30366405/how-to-disable-spring-security-for-particular-url.

    I quickly looked at the sample quickstart project provided by Spring and in their securityContext.xml file they have the following lines (among many others):

    ...

    Maybe you can do the same thing for the URL that you don't want secured?



    It's not that I don't want the URL secured, it's more that I only want it to respond to GET requests.  Anything else (POST, PUSH) should send back a 403 or a 404.  Sorry if I didn't explain the problem clearly enough.
     
    Pete Letkeman
    Bartender
    Posts: 1868
    81
    Android Chrome IntelliJ IDE Java MySQL Database
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    I've only really started with Spring Boot 2 but, could this not be handled with the mapping of the request in the application?
    I'm thinking that @RequestMapping, @GetMapping and @PostMapping as shown in this example https://spring.io/guides/tutorials/bookmarks/#_building_a_rest_service may help out.
     
    Simon Ritchie
    Ranch Hand
    Posts: 179
    13
    Eclipse IDE Hibernate Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Resurrecting this old problem as it's still something I've yet to resolve.

    I hope people here don't mind me posting something from another forum but the solution described here is pretty much what I'm looking to be able to do.  The problem is that Java's ServletRequest class doesn't appear to have a method that tells you what kind of HTTP request has just been made (GET, POST, etc).  I've tried downcasting the ServletRequest object to a HttpServletRequest and then I've used Postman to send a POST request to the URL that I'm filtering on but the HttpServletRequest seems to see the incoming method as a GET instead of a POST.  Is there any way to determine what HTTP request has been made on a ServletRequest without downcasting?  None of the available ServletRequest methods seem to have this information.
     
    Sheriff
    Posts: 21553
    100
    Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    That's because HTTP methods are only available for HTTP servlets, not generic servlets. You will need to perform down-casting to get the method. However, this doesn't actually change the servlet request object. If it returns GET for the HTTP method, then that's how it's recognised by the servlet container. The HTTP method doesn't get set just because of the down-cast.
     
    Simon Ritchie
    Ranch Hand
    Posts: 179
    13
    Eclipse IDE Hibernate Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Yeah, I found out that the reason it was interpreting my POST as a GET was because the request wasn't coming in with a "/" appended.  You were right about the down casting, thanks.
     
    Ranch Hand
    Posts: 210
    2
    Netbeans IDE
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Can't you just use antmatcher, antmatchers in the webconfiguration?
     
    Simon Ritchie
    Ranch Hand
    Posts: 179
    13
    Eclipse IDE Hibernate Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Unfortunately not as there is filtering taking place (a requirement) before the antmatcher configuration stuff is engaged.
     
    Al Hobbs
    Ranch Hand
    Posts: 210
    2
    Netbeans IDE
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Well could you just add another filter ?
     
    PI day is 3.14 (march 14th) and is also einstein's birthday. And this is merely a tiny ad:
    RavenDB is an Open Source NoSQL Database that’s fully transactional (ACID) across your database
    https://coderanch.com/t/704633/RavenDB-Open-Source-NoSQL-Database
    • Post Reply Bookmark Topic Watch Topic
    • New Topic
    Boost this thread!