I am using spring webflow 2.3.1.RELEASE in my project.
The customer's security team raised and issue witch is "It is possible to change the http method from POST to GET and the application accepts the change and continues working."
So I need to prevent this change and make my transitions accept only POST method. Or throw exception if I get any request parameter other than execution in the url.
How can I do this?
I solved the problem using interceptors of the FlowHandlerMapping.
I've created a class and named it MethodInterceptor, implementend org.springframework.web.context.request.WebRequestInterceptor.
in the "public void preHandle(WebRequest request) throws Exception" method, I checked the request method, if it was get, I checked the request parameters to be either empty or contain only the execution parameter. If the condition didn't meet, I threw an exception.