tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Re: [somewhat OT] Form Authentication POST data not preserved?
Date Sun, 05 Feb 2012 18:23:17 GMT
On 2/5/2012 12:04 PM, André Warnier wrote:
> Hi.
> I've just been following this thread, and this is not about the 
> problem per se, but a comment about the overall design of the 
> application.
> The fact that you do a POST without being authenticated, and that you 
> rely on the server to save the POST content while the authentication 
> is taking place, and to "replay" this POST after a succesful 
> authentication, is not really a part of the HTTP protocol (as per RFC 
> 2616).
Form-based authentication is not part of the HTTP protocol.  The 
entirety of form-based authentication is a complete hack of an 
application convention.  Some specifications, e.g. the Java servlet 
specification, provide /some/ rules for form-based authentication within 
their realm, but in general form-based authentication is an "anything 
goes that a user running an interactive browser session can follow" 
> It is a nice feature of Tomcat, and it simplifies the design of an 
> application, and it avoids some user frustration.
> And maybe the paragraph cited below from the Servlet Spec is what 
> "motivates" Tomcat to implement this.
> But I don't think tjat you can count on this behaviour with all HTTP 
> servers, or all authentication schemes.  For example, if instead of 
> using Tomcat's container-driven authentication (declarative security), 
> your application came at some point to have to use a servlet-filter 
> based authentication mechanism (programmatic security), this design 
> may not work anymore (unless the filter itself had some POST-saving 
> scheme).
> Just thought I'd point that out.
Certainly this is an optional / quality of implementation feature.  I'm 
perfectly aware that other form-based authentication solutions will not 
save POST data and may even fail to replay requests at all.  That's fine 
and good.  The application design is not dependent on this behavior.  
Rather, Tomcat documentation says this should work and it doesn't -- 
that's the issue.

Of course this isn't just an "application design" issue.  If you're in 
the midst of your application, fill out a complex form, go out to lunch, 
come back and submit the form chances are good your session will have 
timed out.  In this case, you really want to have POST body capture 
working -- otherwise usability will suffer.
> Servlet Spec 3.0, :
> ...
> If the form based login is invoked because of an HTTP request, the 
> original request
> parameters must be preserved by the container for use if, on successful
> authentication, it redirects the call to the requested resource.
> ...
> Note the "if".
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message