Make it possible to use POST requests instead of GET

rabbitmq / rabbitmq-auth-backend-http

HTTP-based authorisation and authentication for RabbitMQ

Other

199 stars 72 forks source link

Make it possible to use POST requests instead of GET #7

Closed sergray closed 8 years ago

sergray commented 9 years ago

Hi,

It would be great to change GET requests to POST, because GET requests expose passwords in access logs of web server serving the app for rabbitmq auth backend.

deemytch commented 8 years ago

johnfoldager commented 8 years ago

uvzubovs commented 8 years ago

+1 Absolutely required or cannot use in the enterprise where http access is logged

AdamMiltonBarker commented 8 years ago

michaelklishin commented 8 years ago

GET is still used in 3.6.x for backwards compatibility. We might want to switch to POST by default in 3.7.0.

AdamMiltonBarker commented 8 years ago

How come this is closed if it is not solved ? This is a clear security flaw

michaelklishin commented 8 years ago

@AdamMiltonBarker this is solved, see #30 which is merged. Like I said, we cannot change the default for 3.6.x because it will break this plugin for all existing users.

AdamMiltonBarker commented 8 years ago

Ok thanks for letting me know will check it out, been away from the AMQP whilst focusing on some features of MQTT, will check out the linked issue, thanks for the reply.