tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas Sushkin <>
Subject Re: Should Form Authentication Valve restore request body on a PUT?
Date Fri, 07 Oct 2011 20:11:17 GMT
The bug was that if you do an unauthenticated POST, PUT, or DELETE, the Form 
Authentication valve was trying to do a POST, PUT, or DELETE to the login 
form. The correct behaviour IMHO is to always GET the login form and return it 
as a response to the unauthenticated request of any kind. Then, once the form 
is POSTed and authentication is successful, the original request whatever it 
may have been, should be replayed. Right?

On Friday, October 07, 2011 16:07:20 Nicholas Sushkin wrote:
> Before being forwarded to login page, the request is saved and only then
> turned into GET, before dispatching the forward to the login page. After
> login form is submitted, the original request is restored from the saved
> state and is replayed.
Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations
Open Finance - Secure, Accurate, Industrial Strength Aggregation
View raw message