tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: How to make request parameters available to a login.jsp?
Date Mon, 04 May 2009 13:46:29 GMT
Sid Sidney wrote:
> Hi, I have posted this question in many different forum, but I still have not found an
answer. Perhaps, I will in this list.  
Not being the Tomcat expert, I don't know how Tomcat (in its different 
versions) handles this, but you may be encountering the following issue :

A HTTP request made as a GET, sends all the data in the request URL (as 
A HTTP request made as a POST on the the other hand sends the data in 
the body of the request.

Now the server receives the request, and determines that this URI needs 
authentication, and that the authentication in question is a 
"form-based" authentication.  So it sends back, not the content that the 
client expected, but instead, it sends a login form.
(The browser however does not know that substitution, it thinks that 
this is the real response.)
The user fills in the login form, and submits it to the server.
The server receives the login form request (whatever it is), processes 
it, and determines that the login is correct.
Then (clever he), he has noted somewhere what the original request URI 
was for this same browser (when it originally requested the protected 
content), and it re-directs the request to that original URI.
So now the browser (or client) receives the content for the original URI 
that it requested.
Quite good, he ?

Except that it (usually) breaks down if the original request was a POST.
Because then, the server would have needed to remember, not only the URI 
of the original request, but also the content (body) of it, since it was 
made via a POST.

I am willing to be impressed, but I don't think that Tomcat's form-based 
authentication mechanism would be able to read the original POST data, 
memorise it somewhere, and then "replay it" when it gets the login form 
duly completed.

You would not have the same issue if the required authentication was a 
"Basic" authentication, because then the browser would know that it 
needs to re-submit the original request, complete with body and with an 
authentication header.
But in this case, the browser just does not know that, because it has 
received a perfectly OK 200 response when it tried to access the 
resource the first time.  It is fooled..

So now let's hear what the gurus have to say..

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message