[SERVLET_SPEC-39] Form Authentication redirection Created: 22/May/12 Updated: 22/Feb/13
|Reporter:||gregwilkins||Assignee:||Shing Wai Chan|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
When a request is received that requires form authentication, the server remembers the original URL (and perhaps form encoded parameters) and redirects to a login page. Once the user completes the login form a request is sent to j_security_check, which if authentication is successful a redirection is sent to the saved URL.
|Comment by gregwilkins [ 22/May/12 ]|
A potential solution would be to allow a token to be passed from the initial redirect to the login form page, and for the login form page to be able to pass that token to the j_security_check request, so that the server can precisely determine the request that was redirected to the login form and thus redirect back to that request and not to some other stray request that came before or after.
If no token is present, then we should still firm up the definition of what saved URL j_security_check should redirect to.
|Comment by Shing Wai Chan [ 22/Feb/13 ]|
Adding it to the bucket of FUTURE_RELEASE