tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Should Form Authentication Valve restore request body on a PUT?
Date Fri, 07 Oct 2011 14:13:00 GMT
Hash: SHA1


On 10/6/2011 10:08 PM, Nicholas Sushkin wrote:
> I now reconfigured DefaultServlet in conf/web.xml with
> readonly=false. Now, an unauthenticated PUT (with or without a
> body) returns 204 No Content instead of the login form. Seems like
> a bug. Should I add this behavior to Bug #51940 or a new bug?

I'll bet what is happening is that your PUT request is being forwarded
without modification to the login page, and your login page is some
static content. Is that right?

If that's what's happening, the DefaultServlet is handling the
request, seeing that it is a PUT, and then complaining that it's
read-only. When you make the DefaultServlet read-write you tell the
DefaultServlet to accept uploads, and you'll probably end up
overwriting your login form with the request entity (oops).

It looks like the authenticator code needs to transform the PUT
request into a GET (or POST?) so that the DefaultServlet doesn't try
to do an upload.

I think you'd have similar problems if trying to use a JSP for your
login-page, because JSPs can't accept PUT requests unless specifically
configured to do so.

Since you're just hacking, try setting the request method to "GET"
when you detect a PUT request that requires authentication.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message