There are a couple of URLs of a web service application my team supports that are sending back HTTP 200 responses to HTTP POST requests made to the URLs. If I wanted to block everything but a HTTP GET request to a URL, what would be the best way to do it? Our application uses Zuul filtering but I tried implementing a filter class and it didn't solve the problem because our application uses Spring SAML for access and authorisation. When I stepped through the code I saw that any POST request made to a URL went through SAML before reaching any of the Zuul filter code. The SAML code seems to be what's sending back HTTP 200 in response.
Have you tried to see the quick start solutions provided by Spring?
- Maybe with some changes you could get that to work on a separate project
Thanks for the replies, Pete.
We're currently using Spring Boot 1.5 for security and I looked at a couple of the quick start solutions. We do have code that grants access to resources to certain users so there might be a solution I can incorporate there. The problem is that piece of code controls access to the whole application so I'm reluctant to make any changes at such a sensitive point, if it can be avoided.
I quickly looked at the sample quickstart project provided by Spring and in their securityContext.xml file they have the following lines (among many others):
Maybe you can do the same thing for the URL that you don't want secured?
It's not that I don't want the URL secured, it's more that I only want it to respond to GET requests. Anything else (POST, PUSH) should send back a 403 or a 404. Sorry if I didn't explain the problem clearly enough.
Resurrecting this old problem as it's still something I've yet to resolve.
I hope people here don't mind me posting something from another forum but the solution described here is pretty much what I'm looking to be able to do. The problem is that Java's ServletRequest class doesn't appear to have a method that tells you what kind of HTTP request has just been made (GET, POST, etc). I've tried downcasting the ServletRequest object to a HttpServletRequest and then I've used Postman to send a POST request to the URL that I'm filtering on but the HttpServletRequest seems to see the incoming method as a GET instead of a POST. Is there any way to determine what HTTP request has been made on a ServletRequest without downcasting? None of the available ServletRequest methods seem to have this information.
That's because HTTP methods are only available for HTTP servlets, not generic servlets. You will need to perform down-casting to get the method. However, this doesn't actually change the servlet request object. If it returns GET for the HTTP method, then that's how it's recognised by the servlet container. The HTTP method doesn't get set just because of the down-cast.