Hi.
I've just been following this thread, and this is not about the problem per se, but a
comment about the overall design of the application.
The fact that you do a POST without being authenticated, and that you rely on the server
to save the POST content while the authentication is taking place, and to "replay" this
POST after a succesful authentication, is not really a part of the HTTP protocol (as per
RFC 2616).
It is a nice feature of Tomcat, and it simplifies the design of an application, and it
avoids some user frustration.
And maybe the paragraph cited below from the Servlet Spec is what "motivates" Tomcat to
implement this.
But I don't think tjat you can count on this behaviour with all HTTP servers, or all
authentication schemes. For example, if instead of using Tomcat's container-driven
authentication (declarative security), your application came at some point to have to use
a servlet-filter based authentication mechanism (programmatic security), this design may
not work anymore (unless the filter itself had some POST-saving scheme).
Just thought I'd point that out.
Servlet Spec 3.0, 13.6.3.1 :
...
If the form based login is invoked because of an HTTP request, the original
request
parameters must be preserved by the container for use if, on successful
authentication, it redirects the call to the requested resource.
...
Note the "if".
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
