Grails Version: 3.3.4, Groovy Version: 2.4.14, JVM Version: 1.8.0_161, Kubuntu 14.04
I wrote a simple authentication form (in the end it will be POSTed through https):
<form action='auth' method='POST' id='loginForm' class='cssform' autocomplete='off'>
<p>
<label for='j_username'>Login ID</label>
<input type='text' class='text_' name='j_username' id='j_username' />
</p>
<p>
<label for='j_password'>Password</label>
<input type='password' class='text_' name='j_password' id='j_password' />
</p>
<p>
<input type='submit' value='Login' />
</p>
The controller is:
class LoginController {
def index() {
if (session.user?.name == 'test') {
render view: '/login/youarealreadyin'
}
else {
render view: '/login/auth'
}
}
def auth() {
def loginName = params.j_username?.trim()
def pass = params.j_password?.trim()
if (loginName == 'test' && pass == 'TEST' ) {
session.user = [name: loginName]
redirect uri: '/'
}
else {
render view: '/login/denied'
}
}
}
After correct login and redirect to uri: '/' - I see the name and password in the URL field of the browser:
http://localhost:8080/?j_username=test&j_password=TEST
I could swear that this didn't happen with grails 3 in the first versions... I cannot remember when...
It would be nice, not to send back the POSTed password as GET params in the URL.
If I render a specific view instead to redirect it doesn't happen.
If you are reporting this as undesired behavior, our GitHub issue tracker at https://github.com/grails/grails-core/issues is a better place to do that. This has already been reported though at https://github.com/grails/grails-core/issues/10965 and it looks like the fix has been verified in 3.3.5.BUILD-SNAPSHOT and looks good.
If you are simply asking if this is intended behavior, it isn't.