Hello Orion Users: I think that I have detected a problem with the j_security_check behavior in Orion. But if someone can shed some light and tell me if I am doing something wrong with my config files, I will be very grateful. Scenario: 1.- A browser sends a GET request to a servlet, using a URL mapping (servlet-mapping). This servlet was secured using the web.xml elements for security configuration. 2.- The login form appears, as expected, and after processing the user's credentials, using a post to j_security_check, two thing can happen: 2.a) If the servlet does not implements doPost, a 405 status code is returned to the browser, regardless that the original request was a GET! 2.b) If the servlet implements doPost, then its code will be executed instead of doGet!!! As far as I can see, the j_security_check routine in Orion is not preserving the original command when a servlet is being involved in the authentication/authorization process. The servlet was invoked with a GET but after login, a POST was sent to the servlet. My environment: Windows 2000 Adv. Server SP1, Sun JVM 1.3 (I could not make Orion run with IBM JDK 1.3, there is a "Xerces problem" while starting Orion). Authentication with html pages works as expected. Fragments of my web.xml file: <servlet> <servlet-name>test</servlet-name><servlet-class>Test</servlet-class> </servlet> <servlet-mapping> <url-pattern>test</url-pattern><servlet-name>test</servlet-name> </servlet-mapping> <security-role> <role-name>admin</role-name> </security-role> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.htm</form-login-page> <form-error-page>/error.htm</form-error-page> </form-login-config> </login-config> <web-resource-collection> <web-resource-name>testservlet</web-resource-name> <url-pattern>test</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> Best regards, Martin PS: we are actually porting an application from Resin to Orion, and studying the J2EE portability problems in the process. FYI, the same example code is working as expected in Resin 2.0.1.
