On 30/09/2011 12:20, Nicholas Sushkin wrote: > I can go into more details, if you wish, but basically I am using > Forgerock OpenAM, which is a single signon/access manager product which > has its own valve that hooks into the application's login URLs defined > in form authentication, returns a login form with prepopulated username > and password fields, with html body having javascript onbody submit. I > think it's their way to have Tomcat evaluate J2EE roles and soon. When > using browser, this all happens transparent to the user and the form is > being automatically submitted by the browser's javascript. When REST API > is being used (that's where a PUT is required), Tomcat throws > authentication form once its session expires, and this may happen on any > method. GET and POST are handled correctly, but not PUT. PUT's body is > always lost because the the Form Authentication doesn't restore it. > > > Basically my thinking is that you handle POST, shouldn't you also > implement PUT the same way, to be consistent?
I'd have no objection so the proposed change. Mark > > > On Thursday, September 29, 2011 17:04:27 Christopher Schultz wrote: > >> I do have one question: why are you using Form-based authentication > >> with PUT requests? It seems like HTTP Digest or something like that > >> would make more sense when clients can expect to send data without > >> being challenged a-priori for credentials. > >> > >> Another workaround would just be to use POST. > -- > > Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations > > Open Finance - Secure, Accurate, Industrial Strength Aggregation > > <http://www.openfinance.com> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org