I can go into more details, if you wish, but basically I am using Forgerock OpenAM, which is a single signon/access manager product which has its own valve that hooks into the application's login URLs defined in form authentication, returns a login form with prepopulated username and password fields, with html body having javascript onbody submit. I think it's their way to have Tomcat evaluate J2EE roles and soon. When using browser, this all happens transparent to the user and the form is being automatically submitted by the browser's javascript. When REST API is being used (that's where a PUT is required), Tomcat throws authentication form once its session expires, and this may happen on any method. GET and POST are handled correctly, but not PUT. PUT's body is always lost because the the Form Authentication doesn't restore it.
Basically my thinking is that you handle POST, shouldn't you also implement PUT the same way, to be consistent? On Thursday, September 29, 2011 17:04:27 Christopher Schultz wrote: > I do have one question: why are you using Form-based authentication > with PUT requests? It seems like HTTP Digest or something like that > would make more sense when clients can expect to send data without > being challenged a-priori for credentials. > > Another workaround would just be to use POST. -- Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations Open Finance - Secure, Accurate, Industrial Strength Aggregation <http://www.openfinance.com>
smime.p7s
Description: S/MIME cryptographic signature