tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Terence M. Bandoian" <tere...@tmbsw.com>
Subject Re: Should Form Authentication Valve restore request body on a PUT?
Date Sun, 09 Oct 2011 20:55:05 GMT
  On 1:59 PM, Nicholas Sushkin wrote:
>
> The bug was that if you do an unauthenticated POST, PUT, or DELETE, 
> the Form Authentication valve was trying to do a POST, PUT, or DELETE 
> to the login form. The correct behaviour IMHO is to always GET the 
> login form and return it as a response to the unauthenticated request 
> of any kind. Then, once the form is POSTed and authentication is 
> successful, the original request whatever it may have been, should be 
> replayed. Right?
>
>
> On Friday, October 07, 2011 16:07:20 Nicholas Sushkin wrote:
>
> > Before being forwarded to login page, the request is saved and only then
>
> > turned into GET, before dispatching the forward to the login page. After
>
> > login form is submitted, the original request is restored from the saved
>
> > state and is replayed.
>
> -- 
>
> Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations
>
> Open Finance - Secure, Accurate, Industrial Strength Aggregation
>
> <http://www.openfinance.com>
>

Sounds logical but modifying data on the server:

1) after being diverted to the login form
2) without any type of confirmation

makes me a little uncomfortable.

-Terence Bandoian

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message