I've identified at least one spot in the Rate Limiting filter that is reading the request parameters (potentially reading the form parameters of the body) but isn't resetting the body afterwards.
This is causing the request body to be lost when the request has form parameters (i.e. has a content-type of "application/x-www-form-urlencoded"). Identity observed this issue when setting up the SAML filter and sending in federation requests.
- The SAML filter should be placed before the Rate Limiting filter. This is not ideal long-term, but will get things going for testing.
- Client is able to sent a POST and PUT request with form parameters without the request body getting removed by the Rate Limiting filter.