tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mabry Tyson <Ty...@AI.SRI.COM>
Subject Form Authentication and status (response) code
Date Thu, 01 Sep 2011 22:49:30 GMT
Summary: When requiring form authentication, Tomcat responds to an 
unauthenticated GET request with a HTTP status code of 200 (OK) and the 
login page.
I believe that to be in violation of the HTTP standards.

The problem:  Software makes a GET request to a web server.  It gets 
back a 200 status code.  By RFC 2616, that code indicates "the request 
has succeeded".
The software then takes the resulting page as the successful response to 
the GET request.   However, in some cases this response is NOT a 
successful response
but is instead a login form.

By using a 200 status code, Tomcat is misrepresenting that the login 
form is the response to the request.   My believe is a 4xx code (client 
error) is appropriate, or possibly a 3xx code (Redirection) might be 
appropriate.  Unfortunately, the RFC indicates that a 401 (Unauthorized) 
response MUST have a header that is only appropriate for basic or digest 
authentication.  So a status code of 401 is not legal in this situation.

It seems unlikely that I'm the first to comment on this.  It must have 
been discussed extensively before.   Can anyone tell me
   (1) What is the reason behind saying the login form is a successful 
   (2) Where is a pointer to the discussions?
   (3) What is an appropriate (non-ad hoc) way to determine that Tomcat 
is returning a login form rather than the requested resource?

(I have done a quick search of the Internet, of Tomcat FAQ, and of 
outstanding Tomcat bugs, but didn't find this.)

For instance, here are the headers when doing a GET of a login protected 
page from the examples shipped with Tomcat:

 > GET /examples/jsp/security/protected/index.jsp HTTP/1.1
 > User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 
OpenSSL/0.9.8r zlib/1.2.3
 > Host:
 > Accept: */*
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Wed, 31 Dec 1969 19:00:00 EST
< Set-Cookie: JSESSIONID=99FD7582647EEF539C449AEBBA5365EB; Path=/examples
< Content-Type: text/html
< Content-Length: 1413
< Date: Thu, 01 Sep 2011 22:15:29 GMT

while the content starts with
<title>Login Page for Examples</title>
<body bgcolor="white">
<form method="POST" 
action='j_security_check;jsessionid=99FD7582647EEF539C449AEBBA5365EB' >

P.S.  For anyone maintaining the examples, shouldn't vendor examples 
demonstrate the best practices?  I'd suggest you indicate the 
Content-Type and the charset.
Also, it would be handy if the web.xml showed how to have the login page 
be served up by https (along with a note explaining that you don't do it 
here since you don't know that https willl be available).

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message