tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Algesten" <mar...@taglab.com>
Subject RE: Servlet Spec interpretation FORM-based authentication
Date Tue, 12 Nov 2002 09:43:53 GMT
This seems another aspect of issue
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6279 ... there are
some work in progress on that one. There's even a patch, check it out.

Martin



-----Original Message-----
From: Algirdas P. Veitas [mailto:aveitas@mail.allesta.com] 
Sent: 12 November 2002 04:57
To: tomcat-dev@jakarta.apache.org
Subject: Servlet Spec interpretation FORM-based authentication


Folks,

I am running into an issue with FORM-based authentication
using 4.1.12 (and 4.0.4).  It seems as if the implementation
is not in line with the 2.3 Servlet Specification.  Specifically, the
Servlet Spec states:

SRV.12.5.3 Form Base Authentication
--snip--
J2EE.12.5.3.1 Login Form Notes
--snip--
"If the form based login is invoked because of an HTTP request, the
original 
request parameters must be preserved by the container for use if, on 
successful authentication, it redirects the call to the requested
resource."

It seems as if the request parameters are not being preserved by the 
container.  After a successful login the container forwards me to the
target 
URL (a JSP page).  The JSP page executes the following code:

Enumeration params = request.getParameterNames();
while (params.hasMoreElements())
{
 String paramKey = (String)params.nextElement();
 String paramVal = request.getParameter(paramKey);
System.out.println(paramKey + " = " + paramKey); }

which I would expect to atleast see printed out:

j_username = <some val>
j_password = <some val 2>

but in fact these request parameters are not printed out and thus not
part of 
the request.

A bit of digging in the source revealed that in the method

authenticate(HttpRequest,HttpResponse,LoginConfig)

of class org.apache.catalina.authenticator.FormAuthenticator, the code
is 
executing HttpResponse.sendRedirect(String url) in order to forward the
user 
to the appropriate page.  A sendRedirect() will wipe out all of the
original 
request parameters.

I think in order to preserve the parameters the sendRedirect() needs to
be 
replaced by HttpRequest.getServletDispatcher().forward().

Has anyone else seen this behavior and is my claim valid?

Thanks,
  Al



--
Open WebMail Project (http://openwebmail.org)


--
To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message