Summary: When requiring form authentication, Tomcat responds to an
unauthenticated GET request with a HTTP status code of 200 (OK) and the
login page.
I believe that to be in violation of the HTTP standards.
The problem: Software makes a GET request to a web server. It gets
back a 200 status code. By RFC 2616, that code indicates "the request
has succeeded".
The software then takes the resulting page as the successful response to
the GET request. However, in some cases this response is NOT a
successful response
but is instead a login form.
By using a 200 status code, Tomcat is misrepresenting that the login
form is the response to the request. My believe is a 4xx code (client
error) is appropriate, or possibly a 3xx code (Redirection) might be
appropriate. Unfortunately, the RFC indicates that a 401 (Unauthorized)
response MUST have a header that is only appropriate for basic or digest
authentication. So a status code of 401 is not legal in this situation.
It seems unlikely that I'm the first to comment on this. It must have
been discussed extensively before. Can anyone tell me
(1) What is the reason behind saying the login form is a successful
response?
(2) Where is a pointer to the discussions?
(3) What is an appropriate (non-ad hoc) way to determine that Tomcat
is returning a login form rather than the requested resource?
(I have done a quick search of the Internet, of Tomcat FAQ, and of
outstanding Tomcat bugs, but didn't find this.)
For instance, here are the headers when doing a GET of a login protected
page from the examples shipped with Tomcat:
> GET /examples/jsp/security/protected/index.jsp HTTP/1.1
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7
OpenSSL/0.9.8r zlib/1.2.3
> Host: xxx.example.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Wed, 31 Dec 1969 19:00:00 EST
< Set-Cookie: JSESSIONID=99FD7582647EEF539C449AEBBA5365EB; Path=/examples
< Content-Type: text/html
< Content-Length: 1413
< Date: Thu, 01 Sep 2011 22:15:29 GMT
while the content starts with
<html>
<head>
<title>Login Page for Examples</title>
<body bgcolor="white">
<form method="POST"
action='j_security_check;jsessionid=99FD7582647EEF539C449AEBBA5365EB' >
P.S. For anyone maintaining the examples, shouldn't vendor examples
demonstrate the best practices? I'd suggest you indicate the
Content-Type and the charset.
Also, it would be handy if the web.xml showed how to have the login page
be served up by https (along with a note explaining that you don't do it
here since you don't know that https willl be available).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
