On 1:59 PM, Nicholas Sushkin wrote:
The bug was that if you do an unauthenticated POST, PUT, or DELETE,
the Form Authentication valve was trying to do a POST, PUT, or DELETE
to the login form. The correct behaviour IMHO is to always GET the
login form and return it as a response to the unauthenticated request
of any kind. Then, once the form is POSTed and authentication is
successful, the original request whatever it may have been, should be
replayed. Right?
On Friday, October 07, 2011 16:07:20 Nicholas Sushkin wrote:
> Before being forwarded to login page, the request is saved and only then
> turned into GET, before dispatching the forward to the login page. After
> login form is submitted, the original request is restored from the saved
> state and is replayed.
--
Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations
Open Finance - Secure, Accurate, Industrial Strength Aggregation
<http://www.openfinance.com>
Sounds logical but modifying data on the server:
1) after being diverted to the login form
2) without any type of confirmation
makes me a little uncomfortable.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
