On 1:59 PM, Nicholas Sushkin wrote:
>
> The bug was that if you do an unauthenticated POST, PUT, or DELETE,
> the Form Authentication valve was trying to do a POST, PUT, or DELETE
> to the login form. The correct behaviour IMHO is to always GET the
> login form and return it as a response to the unauthenticated request
> of any kind. Then, once the form is POSTed and authentication is
> successful, the original request whatever it may have been, should be
> replayed. Right?
>
>
> On Friday, October 07, 2011 16:07:20 Nicholas Sushkin wrote:
>
> > Before being forwarded to login page, the request is saved and only then
>
> > turned into GET, before dispatching the forward to the login page. After
>
> > login form is submitted, the original request is restored from the saved
>
> > state and is replayed.
>
> --
>
> Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations
>
> Open Finance - Secure, Accurate, Industrial Strength Aggregation
>
> <http://www.openfinance.com>
>
Sounds logical but modifying data on the server:
1) after being diverted to the login form
2) without any type of confirmation
makes me a little uncomfortable.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|