Re: Should Form Authentication Valve restore request body on a PUT?

Thu, 29 Sep 2011 14:04:59 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicholas,

On 9/29/2011 3:37 PM, Nicholas Sushkin wrote:
> In Tomcat 6, Form Authentication valve restores the original
> request after a POST with successful authentication and redirect is
> followed by the client's GET. In case of the POST, the valve also
> restores the original request's body. However, it doesn't do that
> for a PUT.

That's not entirely surprising.

> If I am not mistaken, it should restore the body on PUT as well. Do
> I misunderstand something?

The servlet spec (v3.0, SRV 13.6.3.1) has this to say:
"
If the form based login is invoked because of an HTTP request, the
original request parameters must be preserved by the container for use
if, on successful authentication, it redirects the call to the
requested resource.
"

It doesn't say what kinds of HTTP verbs should or should not be
supported, but GET and PUT seem entirely obvious. It doesn't say that
the request body needs to be maintained, only the "request
parameters". Since the servlet specification doesn't have any
provisions for fetching request parameters from PUT operations, I
suppose the spec therefore doesn't directly recommend that PUT bodies
be stored for later use like when POST is used.

> The patch would be in FormAuthenticator.restoreRequest(Request,
> Session) [1], to change from
> 
> if ("POST".equalsIgnoreCase(saved.getMethod())) {
> 
> to
> 
> if ("POST".equalsIgnoreCase(saved.getMethod()) || 
> "PUT".equalsIgnoreCase(saved.getMethod())) {

On the face of it, that seems reasonable. I haven't read-through the
code that then replays the saved-request so I'm not sure if there's
more to be done.

I do have one question: why are you using Form-based authentication
with PUT requests? It seems like HTTP Digest or something like that
would make more sense when clients can expect to send data without
being challenged a-priori for credentials.

Another workaround would just be to use POST.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6E3VsACgkQ9CaO5/Lv0PD67gCdGvoSAw3CJKRokEg0GNvDz7Tn
62oAnjovksaQNSkPiPDXg9jl9RSROVup
=JpnY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to