Win a copy of Cloud Native PatternsE this week in the Cloud forum
or Natural Language Processing in the AI/ML forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

SAML, Zuul & Blocking POST Requests

 
Ranch Hand
Posts: 179
13
Hibernate Eclipse IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi folks,

There are a couple of URLs of a web service application my team supports that are sending back HTTP 200 responses to HTTP POST requests made to the URLs.  If I wanted to block everything but a HTTP GET request to a URL, what would be the best way to do it?  Our application uses Zuul filtering but I tried implementing a filter class and it didn't solve the problem because our application uses Spring SAML for access and authorisation.  When I stepped through the code I saw that any POST request made to a URL went through SAML before reaching any of the Zuul filter code.  The SAML code seems to be what's sending back HTTP 200 in response.

Any help is appreciated.
 
Bartender
Posts: 1868
81
Android IntelliJ IDE MySQL Database Chrome Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Two quick questions:
  • Which version of Spring Security are you using?
  • Have you tried to see the quick start solutions provided by Spring?
       - Maybe with some changes you could get that to work on a separate project
  •  
    Pete Letkeman
    Bartender
    Posts: 1868
    81
    Android IntelliJ IDE MySQL Database Chrome Java
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    This posting on StackOverflow.com may have a solution that works for you
    https://stackoverflow.com/questions/30366405/how-to-disable-spring-security-for-particular-url.

    I quickly looked at the sample quickstart project provided by Spring and in their securityContext.xml file they have the following lines (among many others):

    Maybe you can do the same thing for the URL that you don't want secured?
     
    Simon Ritchie
    Ranch Hand
    Posts: 179
    13
    Hibernate Eclipse IDE Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator

    Pete Letkeman wrote:Two quick questions:

  • Which version of Spring Security are you using?
  • Have you tried to see the quick start solutions provided by Spring?
       - Maybe with some changes you could get that to work on a separate project


  • Thanks for the replies, Pete.

    We're currently using Spring Boot 1.5 for security and I looked at a couple of the quick start solutions.  We do have code that grants access to resources to certain users so there might be a solution I can incorporate there.  The problem is that piece of code controls access to the whole application so I'm reluctant to make any changes at such a sensitive point, if it can be avoided.

    Pete Letkeman wrote:This posting on StackOverflow.com may have a solution that works for you
    https://stackoverflow.com/questions/30366405/how-to-disable-spring-security-for-particular-url.

    I quickly looked at the sample quickstart project provided by Spring and in their securityContext.xml file they have the following lines (among many others):

    ...

    Maybe you can do the same thing for the URL that you don't want secured?



    It's not that I don't want the URL secured, it's more that I only want it to respond to GET requests.  Anything else (POST, PUSH) should send back a 403 or a 404.  Sorry if I didn't explain the problem clearly enough.
     
    Pete Letkeman
    Bartender
    Posts: 1868
    81
    Android IntelliJ IDE MySQL Database Chrome Java
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    I've only really started with Spring Boot 2 but, could this not be handled with the mapping of the request in the application?
    I'm thinking that @RequestMapping, @GetMapping and @PostMapping as shown in this example https://spring.io/guides/tutorials/bookmarks/#_building_a_rest_service may help out.
     
    Simon Ritchie
    Ranch Hand
    Posts: 179
    13
    Hibernate Eclipse IDE Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Resurrecting this old problem as it's still something I've yet to resolve.

    I hope people here don't mind me posting something from another forum but the solution described here is pretty much what I'm looking to be able to do.  The problem is that Java's ServletRequest class doesn't appear to have a method that tells you what kind of HTTP request has just been made (GET, POST, etc).  I've tried downcasting the ServletRequest object to a HttpServletRequest and then I've used Postman to send a POST request to the URL that I'm filtering on but the HttpServletRequest seems to see the incoming method as a GET instead of a POST.  Is there any way to determine what HTTP request has been made on a ServletRequest without downcasting?  None of the available ServletRequest methods seem to have this information.
     
    Sheriff
    Posts: 21774
    103
    Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    That's because HTTP methods are only available for HTTP servlets, not generic servlets. You will need to perform down-casting to get the method. However, this doesn't actually change the servlet request object. If it returns GET for the HTTP method, then that's how it's recognised by the servlet container. The HTTP method doesn't get set just because of the down-cast.
     
    Simon Ritchie
    Ranch Hand
    Posts: 179
    13
    Hibernate Eclipse IDE Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Yeah, I found out that the reason it was interpreting my POST as a GET was because the request wasn't coming in with a "/" appended.  You were right about the down casting, thanks.
     
    Rancher
    Posts: 457
    6
    IntelliJ IDE Spring Fedora
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Can't you just use antmatcher, antmatchers in the webconfiguration?
     
    Simon Ritchie
    Ranch Hand
    Posts: 179
    13
    Hibernate Eclipse IDE Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Unfortunately not as there is filtering taking place (a requirement) before the antmatcher configuration stuff is engaged.
     
    Al Hobbs
    Rancher
    Posts: 457
    6
    IntelliJ IDE Spring Fedora
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Well could you just add another filter ?
     
    Consider Paul's rocket mass heater.
    • Post Reply Bookmark Topic Watch Topic
    • New Topic
    Boost this thread!