-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request body parsing should happen after authentication & authorization validation #163
Comments
Yes! I agree your opinion. However, it so difficult in current ActionBuilder/BodyParser mechanism... And the other hand, there is a motivation that it want to use HTTP body parameter at authorization. I think it needs play2 changing that this problem is solved. |
I'm doing some testing with unsigned requests, and basic auth configuration.
Sending simple POST / GET request fail on body parsing, before validation.
I think authentication must come before any other actions, it's not only beneficial from performance point of view, but also from security perspective.
Let's say I have an endpoint that accepts files, and I don't have authentication on this endpoint, I would still be able to POST files, and drawn server memory in trash data. Which might easily effect server performance.
The text was updated successfully, but these errors were encountered: