tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Tulley" <>
Subject Tomcat security handling spec non-compliance
Date Thu, 27 Mar 2003 22:30:40 GMT
I think I've found a fairly important place where Tomcat is not spec
compliant. I think there is code in there to make this work, but the
code must have a bug.
The spec part is: SRV 12.5.3, actually in J2EE. Login Form
If the form based login is invoked because of an HTTP request, the
request parameters must be preserved by the container for use if, on
authentication, it redirects the call to the requested resource.

I have shown that this is not working using the following process:
Create a simple jsp, "formHandler.jsp", put it in a protected app (I
used Tomcat's admin):
String color = request.getParameter("Color");
Your color is: <%=color%>

Create a simple form somewhere outside of there:
<form action="/admin/formHandler.jsp" method="post">
<input type="text" name="Color" value="red">
<input type="submit" name="Submit">

If you submit the form while there is a current valid login to the
admin application, your formHandler jsp outputs the correct parameter
If you submit the form while not authenticated to the application, you
are redirected to the login page. After you enter valid credentials, you
are redirected to the formHandler.jsp, which outputs "Your color is:
null" It has lost the original request parameters even though it appears
that org.apache.catalina.authenticator.FormAuthenticator, restoreRequest
tries to restore these.

Can somebody else verify that they see this, and should I submit a bug?
 It seems that this is very important and needs to be fixed.

This is on Tomcat 4.1.18, and I just verified it is still there on
Tomcat 4.1.24

Jeff Tulley  (
Novell, Inc., The Leading Provider of Net Business Solutions

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message