Saturday, July 25, 2009

Wicket + Spring Security: do NOT post info to j_spring_security_check as part of the URL

This week, when working on the integration of Spring Security with Wicket, I was trying to understand the best approach to create a customized login page. Then I came across this Apache wiki page:

http://cwiki.apache.org/confluence/display/WICKET/Servlet+container+authentication

It suggests that you post the info as a Wicket form and, in the Wicket class, you validate the info and post it to j_spring_security_check. This looks very nice at first, but later I realized a major problem. It posts the username and password as part of the URL. Yes, it posts something like that:

j_spring_security?j_username=rodrigo&j_password=mypassword

What's wrong with that? If you have access log, this is the URL you are accessing, which shows up in the log files. I updated the Wiki page with this info and definitely did not follow this path.

It turned out that, after searching everything I found on the web, the solution was pretty straightforwad. I added a regular form to my LoginPage with action set to j_spring_security_check and do not intercept this request through Wicket. That simple, no validation or check in my Wicket code at all.

If you have any questions about this, don't hesitate to send me an email.
Post a Comment