https://issues.apache.org/bugzilla/show_bug.cgi?id=51940
Bug #: 51940
Summary: Form Authentication Valve should restore request body
on PUT method
Product: Tomcat 6
Version: 6.0.33
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: nsush...@openfinance.com
Classification: Unclassified
In Tomcat 6 (and 7), Form Authentication valve restores the original request
after a POST with successful authentication and redirect is followed by the
client's GET. In case of the POST, the valve also restores the original
request's body. However, it doesn't do that for a PUT. To be consistent, Tomcat
should restore the body on PUT as well.
The patch would be in FormAuthenticator.restoreRequest(Request, Session) [1],
to change from
if ("POST".equalsIgnoreCase(saved.getMethod())) {
to
if ("POST".equalsIgnoreCase(saved.getMethod()) ||
"PUT".equalsIgnoreCase(saved.getMethod())
) {
[1]
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?view=markup#l450
Maybe related to Bug #48692.
This issue was discussed on users mailing list archived at
http://markmail.org/thread/klafrhln32v3zcau
and
http://mail-archives.apache.org/mod_mbox/tomcat-users/201109.mbox/%3C3052451.ZX31eH6Cz8@strela%3E
Regarding "Re: Should Form Authentication Valve restore request body on a
PUT?",
on Thursday, September 29, 2011 17:04:27,
Christopher Schultz wrote to Tomcat Users List <us...@tomcat.apache.org>
> ...
> The servlet spec (v3.0, SRV 13.6.3.1) has this to say:
> "
> If the form based login is invoked because of an HTTP request, the
> original request parameters must be preserved by the container for use
> if, on successful authentication, it redirects the call to the
> requested resource.
> "
>
> It doesn't say what kinds of HTTP verbs should or should not be
> supported, but GET and PUT seem entirely obvious. It doesn't say that
> the request body needs to be maintained, only the "request
> parameters". Since the servlet specification doesn't have any
> provisions for fetching request parameters from PUT operations, I
> suppose the spec therefore doesn't directly recommend that PUT bodies
> be stored for later use like when POST is used.
> ...
> On the face of it, that seems reasonable. I haven't read-through the
> code that then replays the saved-request so I'm not sure if there's
> more to be done.
Regarding "Re: Should Form Authentication Valve restore request body on a
PUT?",
on Friday, September 30, 2011 13:10:55,
Mark Thomas wrote to Tomcat Users List <us...@tomcat.apache.org>
> I'd have no objection so the proposed change.
>
> Mark
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
