[JIRA] Commented: (SERVLET_SPEC-39) Form Authentication redirection
- From: "gregwilkins (JIRA)" <jira-no-reply@...>
- To: issues@...
- Subject: [JIRA] Commented: (SERVLET_SPEC-39) Form Authentication redirection
- Date: Tue, 22 May 2012 10:40:21 +0000 (GMT+00:00)
- Auto-submitted: auto-generated
gregwilkins commented on SERVLET_SPEC-39:
A potential solution would be to allow a token to be passed from the initial
redirect to the login form page, and for the login form page to be able to
pass that token to the j_security_check request, so that the server can
precisely determine the request that was redirected to the login form and
thus redirect back to that request and not to some other stray request that
came before or after.
If no token is present, then we should still firm up the definition of what
saved URL j_security_check should redirect to.
> Form Authentication redirection
> Key: SERVLET_SPEC-39
> URL: http://java.net/jira/browse/SERVLET_SPEC-39
> Project: servlet-spec
> Issue Type: Bug
> Reporter: gregwilkins
> When a request is received that requires form authentication, the server
> remembers the original URL (and perhaps form encoded parameters) and
> redirects to a login page. Once the user completes the login form a
> request is sent to j_security_check, which if authentication is successful
> a redirection is sent to the saved URL.
> ajax style requests, and since users can decline to authenticate on the
> first presentation of a web form, it is possible that for a given session
> multiple requests are received that are redirected to the login form.
> The problem for the server is to decide if it should eventually redirect to
> the first of the saved URLs; to the last of the saved; or to some
> heuristically chosen one in between.
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see: http://www.atlassian.com/software/jira