tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Should Form Authentication Valve restore request body on a PUT?
Date Fri, 30 Sep 2011 17:10:55 GMT
On 30/09/2011 12:20, Nicholas Sushkin wrote:
> I can go into more details, if you wish, but basically I am using
> Forgerock OpenAM, which is a single signon/access manager product which
> has its own valve that hooks into the application's login URLs defined
> in form authentication, returns a login form with prepopulated username
> and password fields, with html body having javascript onbody submit. I
> think it's their way to have Tomcat evaluate J2EE roles and soon. When
> using browser, this all happens transparent to the user and the form is
> being automatically submitted by the browser's javascript. When REST API
> is being used (that's where a PUT is required), Tomcat throws
> authentication form once its session expires, and this may happen on any
> method. GET and POST are handled correctly, but not PUT. PUT's body is
> always lost because the the Form Authentication doesn't restore it.
> Basically my thinking is that you handle POST, shouldn't you also
> implement PUT the same way, to be consistent?

I'd have no objection so the proposed change.


> On Thursday, September 29, 2011 17:04:27 Christopher Schultz wrote:
>> I do have one question: why are you using Form-based authentication
>> with PUT requests? It seems like HTTP Digest or something like that
>> would make more sense when clients can expect to send data without
>> being challenged a-priori for credentials.
>> Another workaround would just be to use POST.
> -- 
> Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations
> Open Finance - Secure, Accurate, Industrial Strength Aggregation
> <>

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message