[OpenVPMS Developers] [JIRA] Closed: (OVPMS-378) User name and password submitted via login dialog should be submitted using POST
[ https://openvpms.atlassian.net/browse/OVPMS-378?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tony De Keizer closed OVPMS-378. --------------------------------
Tested OK.
> User name and password submitted via login dialog should be submitted using POST > -------------------------------------------------------------------------------- > > Key: OVPMS-378 > URL: https://openvpms.atlassian.net/browse/OVPMS-378 > Project: VPMS Web Application > Issue Type: Improvement > Components: General > Affects Versions: 1.0-alpha-1 > Reporter: Tim Anderson > Assignee: Tony De Keizer > Priority: Minor > Fix For: 1.5 > > > The user name and password submitted to spring security via the LoginDialog class using: > BrowserRedirectCommand("j_acegi_security_check?j_username=" + username + "&j_password=" + password); > are submitted used http GET. This is a security flaw as the values can appear in the browser history (e,g if the redirect fails), even if https is used. > The values should be submitted using POST.-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://openvpms.atlassian.net/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________ OpenVPMS Developers Mailing List developers@lists.openvpms.org To unsubscribe or change your subscription visit: http://lists.openvpms.org/listinfo/developers Posts from this mailing list can be viewed online and replied to in the OpenVPMS Developer's forum- http://tinyurl.com/openvdf
