In Tomcat 6, Form Authentication valve restores the original request after a POST with successful authentication and redirect is followed by the client's GET. In case of the POST, the valve also restores the original request's body. However, it doesn't do that for a PUT. If I am not mistaken, it should restore the body on PUT as well. Do I misunderstand something?
The patch would be in FormAuthenticator.restoreRequest(Request, Session) [1],
to change from
if ("POST".equalsIgnoreCase(saved.getMethod())) {
to
if ("POST".equalsIgnoreCase(saved.getMethod()) ||
"PUT".equalsIgnoreCase(saved.getMethod())
) {
[1]
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?view=markup#l450
--
Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations
Open Finance - Secure, Accurate, Industrial Strength Aggregation
<http://www.openfinance.com>
smime.p7s
Description: S/MIME cryptographic signature
