tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [somewhat OT] Form Authentication POST data not preserved?
Date Sun, 05 Feb 2012 18:04:07 GMT
Hi.

I've just been following this thread, and this is not about the problem per se, but a 
comment about the overall design of the application.

The fact that you do a POST without being authenticated, and that you rely on the server 
to save the POST content while the authentication is taking place, and to "replay" this 
POST after a succesful authentication, is not really a part of the HTTP protocol (as per 
RFC 2616).

It is a nice feature of Tomcat, and it simplifies the design of an application, and it 
avoids some user frustration.
And maybe the paragraph cited below from the Servlet Spec is what "motivates" Tomcat to 
implement this.

But I don't think tjat you can count on this behaviour with all HTTP servers, or all 
authentication schemes.  For example, if instead of using Tomcat's container-driven 
authentication (declarative security), your application came at some point to have to use

a servlet-filter based authentication mechanism (programmatic security), this design may 
not work anymore (unless the filter itself had some POST-saving scheme).

Just thought I'd point that out.


Servlet Spec 3.0, 13.6.3.1 :
...
If the form based login is invoked because of an HTTP request, the original request
parameters must be preserved by the container for use if, on successful
authentication, it redirects the call to the requested resource.
...

Note the "if".


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message