You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by André Warnier <aw...@ice-sa.com> on 2012/02/05 19:04:07 UTC
Re: [somewhat OT] Form Authentication POST data not preserved?
Hi.
I've just been following this thread, and this is not about the problem per se, but a
comment about the overall design of the application.
The fact that you do a POST without being authenticated, and that you rely on the server
to save the POST content while the authentication is taking place, and to "replay" this
POST after a succesful authentication, is not really a part of the HTTP protocol (as per
RFC 2616).
It is a nice feature of Tomcat, and it simplifies the design of an application, and it
avoids some user frustration.
And maybe the paragraph cited below from the Servlet Spec is what "motivates" Tomcat to
implement this.
But I don't think tjat you can count on this behaviour with all HTTP servers, or all
authentication schemes. For example, if instead of using Tomcat's container-driven
authentication (declarative security), your application came at some point to have to use
a servlet-filter based authentication mechanism (programmatic security), this design may
not work anymore (unless the filter itself had some POST-saving scheme).
Just thought I'd point that out.
Servlet Spec 3.0, 13.6.3.1 :
...
If the form based login is invoked because of an HTTP request, the original request
parameters must be preserved by the container for use if, on successful
authentication, it redirects the call to the requested resource.
...
Note the "if".
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [somewhat OT] Form Authentication POST data not preserved?
Posted by Jess Holle <je...@ptc.com>.
On 2/5/2012 2:53 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jess,
>
> On 2/5/12 1:23 PM, Jess Holle wrote:
>> Certainly this is an optional / quality of implementation feature.
>> I'm perfectly aware that other form-based authentication solutions
>> will not save POST data and may even fail to replay requests at
>> all. That's fine and good. The application design is not
>> dependent on this behavior. Rather, Tomcat documentation says this
>> should work and it doesn't -- that's the issue.
> FWIW, SecurityFilter also provides similar capabilities. I'd be
> shocked if this wasn't industry-wide capability for servlet containers.
I was considering form-based authentication on an even broader basis --
as one can do this in the web server as instead of in the servlet engine.
That said, yes, most solutions do cover this base -- and Tomcat says it
does, but doesn't if you use an AJP connector.
Fortunately the fix is trivial to patch in.
--
Jess Holle
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [somewhat OT] Form Authentication POST data not preserved?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jess,
On 2/5/12 1:23 PM, Jess Holle wrote:
> Certainly this is an optional / quality of implementation feature.
> I'm perfectly aware that other form-based authentication solutions
> will not save POST data and may even fail to replay requests at
> all. That's fine and good. The application design is not
> dependent on this behavior. Rather, Tomcat documentation says this
> should work and it doesn't -- that's the issue.
FWIW, SecurityFilter also provides similar capabilities. I'd be
shocked if this wasn't industry-wide capability for servlet containers.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8u7EkACgkQ9CaO5/Lv0PDZ0ACghcEXQ7pTElJawGg64eFQFkKS
0swAn3hcVSNeaEx9D9sXI5ZJN6ASwKhL
=Azqj
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [somewhat OT] Form Authentication POST data not preserved?
Posted by Jess Holle <je...@ptc.com>.
On 2/5/2012 12:04 PM, André Warnier wrote:
> Hi.
>
> I've just been following this thread, and this is not about the
> problem per se, but a comment about the overall design of the
> application.
>
> The fact that you do a POST without being authenticated, and that you
> rely on the server to save the POST content while the authentication
> is taking place, and to "replay" this POST after a succesful
> authentication, is not really a part of the HTTP protocol (as per RFC
> 2616).
Form-based authentication is not part of the HTTP protocol. The
entirety of form-based authentication is a complete hack of an
application convention. Some specifications, e.g. the Java servlet
specification, provide /some/ rules for form-based authentication within
their realm, but in general form-based authentication is an "anything
goes that a user running an interactive browser session can follow"
convention.
> It is a nice feature of Tomcat, and it simplifies the design of an
> application, and it avoids some user frustration.
> And maybe the paragraph cited below from the Servlet Spec is what
> "motivates" Tomcat to implement this.
>
> But I don't think tjat you can count on this behaviour with all HTTP
> servers, or all authentication schemes. For example, if instead of
> using Tomcat's container-driven authentication (declarative security),
> your application came at some point to have to use a servlet-filter
> based authentication mechanism (programmatic security), this design
> may not work anymore (unless the filter itself had some POST-saving
> scheme).
>
> Just thought I'd point that out.
Certainly this is an optional / quality of implementation feature. I'm
perfectly aware that other form-based authentication solutions will not
save POST data and may even fail to replay requests at all. That's fine
and good. The application design is not dependent on this behavior.
Rather, Tomcat documentation says this should work and it doesn't --
that's the issue.
Of course this isn't just an "application design" issue. If you're in
the midst of your application, fill out a complex form, go out to lunch,
come back and submit the form chances are good your session will have
timed out. In this case, you really want to have POST body capture
working -- otherwise usability will suffer.
> Servlet Spec 3.0, 13.6.3.1 :
> ...
> If the form based login is invoked because of an HTTP request, the
> original request
> parameters must be preserved by the container for use if, on successful
> authentication, it redirects the call to the requested resource.
> ...
>
> Note the "if".
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>