fix(Login): remove login through GET (#2856)

* add system property to activate logon through get (deactivated by default)

Covers [RUNTIME-1398](https://bonitasoft.atlassian.net/browse/RUNTIME-1398)

bpm/bonita-web-server/src/main/java/org/bonitasoft/console/common/server/login/servlet/LoginServlet.java

@@ -67,16 +67,25 @@ public class LoginServlet extends HttpServlet {
      */
     protected static final String LOGIN_URL_PARAM_NAME = "loginUrl";
 
+    /*
+     * System property to allow login with GET from the development suite
+     */
+    public static final String ENABLE_DEV_SUITE_LOGIN = "org.bonitasoft.web.login.get.enabled";
+
     /**
      * Necessary studio integration (username and password are passed in the URL in development mode)
      *
      * @deprecated
      *             use {@link #doPost(HttpServletRequest, HttpServletResponse)} instead
      */
     @Override
-    @Deprecated(since = "8.0", forRemoval = true)
+    @Deprecated(since = "8.0", forRemoval = false)
     protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
             throws ServletException, IOException {
+        if (!Boolean.parseBoolean(System.getProperty(ENABLE_DEV_SUITE_LOGIN))) {
+            resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+            return;
+        }
         if (LOGGER.isTraceEnabled()) {
             LOGGER.trace("query string : " + dropPassword(req.getQueryString()));
         }

bpm/bonita-web-server/src/main/java/org/bonitasoft/console/common/server/login/servlet/PlatformLoginServlet.java

@@ -78,12 +78,6 @@ public class PlatformLoginServlet extends HttpServlet {
     protected final TokenGenerator tokenGenerator = new TokenGenerator();
     protected final PortalCookies portalCookies = new PortalCookies();
 
-    @Override
-    protected void doGet(final HttpServletRequest request, final HttpServletResponse response)
-            throws ServletException, IOException {
-        doPost(request, response);
-    }
-
     @Override
     protected void doPost(final HttpServletRequest request, final HttpServletResponse response)
             throws ServletException, IOException {

bpm/bonita-web-server/src/test/java/org/bonitasoft/console/common/server/login/servlet/LoginServletTest.java

@@ -41,6 +41,7 @@
 import org.bonitasoft.console.common.server.utils.SessionUtil;
 import org.bonitasoft.engine.exception.TenantStatusException;
 import org.bonitasoft.engine.session.APISession;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@@ -76,6 +77,11 @@ public void setup() {
         doReturn("application/x-www-form-urlencoded").when(req).getContentType();
     }
 
+    @After
+    public void tearDown() {
+        System.clearProperty(LoginServlet.ENABLE_DEV_SUITE_LOGIN);
+    }
+
     @Test
     public void testPasswordIsDroppedWhenParameterIsLast() throws Exception {
         final String cleanQueryString = LoginServlet.dropPassword("?username=walter.bates&password=bpm");
@@ -135,6 +141,7 @@ public void testDropPasswordOnRealUrl() throws Exception {
     @Test
     public void testDoGetShouldDropPassowrdWhenLoggingQueryString() throws Exception {
         //given
+        System.setProperty(LoginServlet.ENABLE_DEV_SUITE_LOGIN, "true");
         final LoginServlet servlet = spy(new LoginServlet());
         doReturn("password=123&username=john").when(req).getQueryString();
         doNothing().when(servlet).doPost(req, resp);
@@ -150,6 +157,19 @@ public void testDoGetShouldDropPassowrdWhenLoggingQueryString() throws Exception
                 .doesNotContain("123");
     }
 
+    @Test
+    public void testDoGetShouldfailWhenSysPropNotSet() throws Exception {
+        //given
+        final LoginServlet servlet = spy(new LoginServlet());
+
+        //when
+        servlet.doGet(req, resp);
+
+        //then
+        verify(servlet, never()).doPost(req, resp);
+        verify(resp).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+    }
+
     @Test
     public void testDoPostShouldNotUseQueryString() throws Exception {