tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: post data lost when redirecting from http to https
Date Mon, 03 Mar 2008 14:35:10 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter,

Peter Crowther wrote:
|> From: J. Zach [mailto:zach@centrum.cz]
|>
|> When page2.jsp is secured in web.xml via security-constraint
|> - transport
|> confidential, the posted data from page1.jsp is lost on
|> submit (it's simply missing missing in the request).
|
| That's expected:

No, it's not. Tomcat goes out of its way to save the POST body.Here's
the code from FormAuthenticator (see
http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java):

~    protected void saveRequest(Request request, Session session)
~        throws IOException {

~        // Create and populate a SavedRequest object for this request
~        SavedRequest saved = new SavedRequest();
~        Cookie cookies[] = request.getCookies();
~        if (cookies != null) {
~            for (int i = 0; i < cookies.length; i++)
~                saved.addCookie(cookies[i]);
~        }
~        Enumeration names = request.getHeaderNames();
~        while (names.hasMoreElements()) {
~            String name = (String) names.nextElement();
~            Enumeration values = request.getHeaders(name);
~            while (values.hasMoreElements()) {
~                String value = (String) values.nextElement();
~                saved.addHeader(name, value);
~            }
~        }
~        Enumeration locales = request.getLocales();
~        while (locales.hasMoreElements()) {
~            Locale locale = (Locale) locales.nextElement();
~            saved.addLocale(locale);
~        }

~        if ("POST".equalsIgnoreCase(request.getMethod())) {
~            ByteChunk body = new ByteChunk();
~            body.setLimit(request.getConnector().getMaxSavePostSize());

~            byte[] buffer = new byte[4096];
~            int bytesRead;
~            InputStream is = request.getInputStream();

~            while ( (bytesRead = is.read(buffer) ) >= 0) {
~                body.append(buffer, 0, bytesRead);
~            }
~            saved.setContentType(request.getContentType());
~            saved.setBody(body);
~        }

~        saved.setMethod(request.getMethod());
~        saved.setQueryString(request.getQueryString());
~        saved.setRequestURI(request.getRequestURI());

~        // Stash the SavedRequest in our session for later use
~        session.setNote(Constants.FORM_REQUEST_NOTE, saved);

~    }

This method is called before the login form is shown. Note the special
case for POST requests.

There is a caveat: there is a maximum size for the POST request. Jan,
how big is the POST request that you are attempting to submit across the
authentication boundary?

The default maxPostSize for both the HTTP and AJP connectors is 2MiB.

Are you seeing any messages in your catalina.out when you lose this data?

It doesn't look like FormAuthenticator cares about HTTP versus HTTPS,
but the saved request goes into the session, so perhaps you are losing
your session during this process? Try adding some logging to make sure
that the session id is consistent.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkfMDJ4ACgkQ9CaO5/Lv0PAAowCgon8oikEdG3AWbmJVE7pmrhSp
M58AnRNlOWcdEGU9GmMDUX5UCdhI1RRr
=f8pY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message