On 2/5/2012 12:04 PM, André Warnier wrote:
Hi.
I've just been following this thread, and this is not about the
problem per se, but a comment about the overall design of the
application.
The fact that you do a POST without being authenticated, and that you
rely on the server to save the POST content while the authentication
is taking place, and to "replay" this POST after a succesful
authentication, is not really a part of the HTTP protocol (as per RFC
2616).
Form-based authentication is not part of the HTTP protocol. The
entirety of form-based authentication is a complete hack of an
application convention. Some specifications, e.g. the Java servlet
specification, provide /some/ rules for form-based authentication within
their realm, but in general form-based authentication is an "anything
goes that a user running an interactive browser session can follow"
convention.
It is a nice feature of Tomcat, and it simplifies the design of an
application, and it avoids some user frustration.
And maybe the paragraph cited below from the Servlet Spec is what
"motivates" Tomcat to implement this.
But I don't think tjat you can count on this behaviour with all HTTP
servers, or all authentication schemes. For example, if instead of
using Tomcat's container-driven authentication (declarative security),
your application came at some point to have to use a servlet-filter
based authentication mechanism (programmatic security), this design
may not work anymore (unless the filter itself had some POST-saving
scheme).
Just thought I'd point that out.
Certainly this is an optional / quality of implementation feature. I'm
perfectly aware that other form-based authentication solutions will not
save POST data and may even fail to replay requests at all. That's fine
and good. The application design is not dependent on this behavior.
Rather, Tomcat documentation says this should work and it doesn't --
that's the issue.
Of course this isn't just an "application design" issue. If you're in
the midst of your application, fill out a complex form, go out to lunch,
come back and submit the form chances are good your session will have
timed out. In this case, you really want to have POST body capture
working -- otherwise usability will suffer.
Servlet Spec 3.0, 13.6.3.1 :
...
If the form based login is invoked because of an HTTP request, the
original request
parameters must be preserved by the container for use if, on successful
authentication, it redirects the call to the requested resource.
...
Note the "if".
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
