tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: post data lost when redirecting from http to https
Date Mon, 03 Mar 2008 15:00:01 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter,

Peter Crowther wrote:
|> From: Christopher Schultz [mailto:chris@christopherschultz.net]
|>
|> Tomcat goes out of its way to save the POST body. Here's the code
|> from FormAuthenticator
|
| [elided]
|
|> This method is called before the login form is shown. Note the
|> special case for POST requests.
|
| This is purely for forms authentication, i.e. where Tomcat is logging
| the user in.  The OP didn't state either way about forms
| authentication, and I suspect isn't using it.
|
| This code is not used in other cases, for example when merely
| redirecting a user to a confidential (i.e. SSL) resource.

Boy is my face red ;) I was thinking this was an authentication
boundary, not a protocol boundary. You are absolutely right: this is a
simple redirect.

Interestingly enough, the servlet specification says nothing about how
to actually handle a request that does not meet the requirements of a
transport-guarantee. In securityfilter, we mimic Tomcat 5.5's behavior,
which is to simply redirect (most often a 302... depends on the
implementation of HttpServletResponse.sendRedirect) to the same URL that
was originally requested (which results in dropping any POST content).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkfMEnEACgkQ9CaO5/Lv0PA0rQCgtMs9tyG0Wu+d+Wry+8JSJkjH
3xcAn3cHOllfBQIQcjkK8Iw/MoiDPDq/
=fS+7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message