tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: 501 Method not implemented with successive POST requests
Date Fri, 13 Aug 2010 20:25:51 GMT
Hans Wahn wrote:
> Thanks for your friendly words and explanations.
> Due to your thought the POST data of the first request may get
> processed too late and mixup things, I altered the client source, so
> the user credentials are only send after the inital call (on the
> second request). 

No, what I really meant was something like this : do the authentication before even the 
first POST.  The client should first request some resource inside the protected area, but

with a GET (for example, some static page).  That will trigger the authentication cycle 
(login page sent by the server, response with credentials by the client, server sending 
the original requested page back (or a redirect to it).
Then, when the client has received this first static resource (and is authenticated for 
that protected area), have it do the POST.
Then the POST itself will not be interrupted and/or repeated by the authentication cycle.

But, if you are doing this using a form authentication, then there must be something (some

information) which is sent in the POST, which allows the server to determine that the 
client is already authenticated.  Normally, one does this by creating a "session" at the 
server level, saving the authentication data inside that session information, then 
returning a cookie to the client with the id of that session.
The client then, upon subsequent calls, adds this cookie to the requests, and this is what

allows the server to retrieve the corresponding saved session information, including that

the client is already authenticated, and thus to decide that it does not have to 
authenticate the client again.

I believe that most of this should be "automatic", handled automatically by tomat and your

HttpClient, via the JSESSIONID cookie.

But re-examining your messages to the list and looking at your steps 3 and 4, I see that 
the value of the JSESSIONID cookie changes in-between :

in step 3, you have :

2010/08/12 20:20:17:750 CEST [DEBUG] wire - >> "Cookie:

while in step 4, you have :

2010/08/12 20:20:17:796 CEST [DEBUG] wire - >> "Cookie:

These are 2 different session-id's, thus I would think 2 distinct sessions.
Are you sure that there is not something wrong in your authentication logic ?

Or is it I who do not understand how these things are supposed to work ?
(generic question to the list)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message