tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: post data lost when redirecting from http to https
Date Mon, 03 Mar 2008 15:00:01 GMT
Hash: SHA1


Peter Crowther wrote:
|> From: Christopher Schultz []
|> Tomcat goes out of its way to save the POST body. Here's the code
|> from FormAuthenticator
| [elided]
|> This method is called before the login form is shown. Note the
|> special case for POST requests.
| This is purely for forms authentication, i.e. where Tomcat is logging
| the user in.  The OP didn't state either way about forms
| authentication, and I suspect isn't using it.
| This code is not used in other cases, for example when merely
| redirecting a user to a confidential (i.e. SSL) resource.

Boy is my face red ;) I was thinking this was an authentication
boundary, not a protocol boundary. You are absolutely right: this is a
simple redirect.

Interestingly enough, the servlet specification says nothing about how
to actually handle a request that does not meet the requirements of a
transport-guarantee. In securityfilter, we mimic Tomcat 5.5's behavior,
which is to simply redirect (most often a 302... depends on the
implementation of HttpServletResponse.sendRedirect) to the same URL that
was originally requested (which results in dropping any POST content).

- -chris
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message