You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2009/01/26 06:40:59 UTC

[jira] Updated: (JSEC-44) Enable POST redirects on session timeout

     [ https://issues.apache.org/jira/browse/JSEC-44?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood updated JSEC-44:
------------------------------

        Fix Version/s: 1.0
    Affects Version/s: 1.0

> Enable POST redirects on session timeout
> ----------------------------------------
>
>                 Key: JSEC-44
>                 URL: https://issues.apache.org/jira/browse/JSEC-44
>             Project: JSecurity
>          Issue Type: New Feature
>          Components: Session Management
>    Affects Versions: 1.0
>            Reporter: Jesse O'Neill-Oine
>             Fix For: 1.0
>
>
> When a user is filling out a form for a long time and they don't submit (POST) within the session timeout limit they lose the newly entered data because after logging in they are redirected via GET to the target URI.  This feature would enable redirecting a POST as a POST and therefore after successfully logging back in the user would see the result of their initial action.
> See email thread here: http://jsecurity.markmail.org/search/JSecurity+Saving+POST+data%3F?page=1
> Summary:
> The solution might work like this:  
> since we have control over the Request/Response pair, we could do something snazzy where, if the SavedRequest in the session is a POST request, we can manually construct a Request object indicating a POST method and send that into the filter chain directly instead of the originating GET Request given to us by the Servlet container.
> So, in essence, a GET would be redirected as a GET, and a POST would be redirected as a POST.  It would work in a REST scenario because the SavedRequest is stored in the session.
> But this again assumes that this is even desirable (POST redirect).  We could make it configurable I suppose (enablePostRedirects = true/false) in the JSecurityFilter configuration if someone didn't like that idea.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.