tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51940] New: Form Authentication Valve should restore request body on PUT method
Date Mon, 03 Oct 2011 16:15:05 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51940

             Bug #: 51940
           Summary: Form Authentication Valve should restore request body
                    on PUT method
           Product: Tomcat 6
           Version: 6.0.33
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: nsushkin@openfinance.com
    Classification: Unclassified


In Tomcat 6 (and 7), Form Authentication valve restores the original request
after a POST with successful authentication and redirect is followed by the
client's GET. In case of the POST, the valve also restores the original
request's body. However, it doesn't do that for a PUT. To be consistent, Tomcat
should restore the body on PUT as well.

The patch would be in FormAuthenticator.restoreRequest(Request, Session) [1],
to change from

if ("POST".equalsIgnoreCase(saved.getMethod())) {

to

if ("POST".equalsIgnoreCase(saved.getMethod()) ||
"PUT".equalsIgnoreCase(saved.getMethod())
) {

[1]
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?view=markup#l450


Maybe related to Bug #48692.


This issue was discussed on users mailing list archived at

http://markmail.org/thread/klafrhln32v3zcau

and

http://mail-archives.apache.org/mod_mbox/tomcat-users/201109.mbox/%3C3052451.ZX31eH6Cz8@strela%3E


Regarding "Re: Should Form Authentication Valve restore request body on a
PUT?", 
on Thursday, September 29, 2011 17:04:27,
Christopher Schultz wrote to Tomcat Users List <users@tomcat.apache.org>

> ...
> The servlet spec (v3.0, SRV 13.6.3.1) has this to say:
> "
> If the form based login is invoked because of an HTTP request, the
> original request parameters must be preserved by the container for use
> if, on successful authentication, it redirects the call to the
> requested resource.
> "
> 
> It doesn't say what kinds of HTTP verbs should or should not be
> supported, but GET and PUT seem entirely obvious. It doesn't say that
> the request body needs to be maintained, only the "request
> parameters". Since the servlet specification doesn't have any
> provisions for fetching request parameters from PUT operations, I
> suppose the spec therefore doesn't directly recommend that PUT bodies
> be stored for later use like when POST is used.
> ...
> On the face of it, that seems reasonable. I haven't read-through the
> code that then replays the saved-request so I'm not sure if there's
> more to be done.


Regarding "Re: Should Form Authentication Valve restore request body on a
PUT?", 
on Friday, September 30, 2011 13:10:55,
Mark Thomas wrote to Tomcat Users List <users@tomcat.apache.org>

> I'd have no objection so the proposed change.
> 
> Mark

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message