tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas Sushkin <>
Subject Re: Should Form Authentication Valve restore request body on a PUT?
Date Fri, 30 Sep 2011 16:20:53 GMT
I can go into more details, if you wish, but basically I am using Forgerock 
OpenAM, which is a single signon/access manager product which has its own 
valve that hooks into the application's login URLs defined in form 
authentication, returns a login form with prepopulated username and password 
fields, with html body having javascript onbody submit. I think it's their way 
to have Tomcat evaluate J2EE roles and soon. When using browser, this all 
happens transparent to the user and the form is being automatically submitted 
by the browser's javascript. When REST API is being used (that's where a PUT 
is required), Tomcat throws authentication form once its session expires, and 
this may happen on any method. GET and POST are handled correctly, but not 
PUT. PUT's body is always lost because the the Form Authentication doesn't 
restore it.

Basically my thinking is that you handle POST, shouldn't you also implement 
PUT the same way, to be consistent?

On Thursday, September 29, 2011 17:04:27 Christopher Schultz wrote:
> I do have one question: why are you using Form-based authentication
> with PUT requests? It seems like HTTP Digest or something like that
> would make more sense when clients can expect to send data without
> being challenged a-priori for credentials.
> Another workaround would just be to use POST.
Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations
Open Finance - Secure, Accurate, Industrial Strength Aggregation
View raw message