[jboss-jira] [JBoss JIRA] Updated: (JBAS-6175) Form-based WAR authentication - redirect fails second time round.

Form-based WAR authentication - redirect fails second time round. ----------------------------------------------------------------- Key: JBAS-6175 URL: https://jira.jboss.org/jira/browse/JBAS-6175 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Security, Web (Tomcat) service Affects Versions: JBossAS-4.2.2.GA Environment: Win XP; JDK 1.6.0_07; Firefox 3.0.3 Reporter: Keith Johnston Assignee: Anil Saldhana Attachments: request_log.txt When using standard J2EE authentication of a WAR file redirects fail to return the correct page. Authentication proceeds as follows: 1. Request / -> server responds with login page. 2. Login ok -> server authenticates and sends 302 redirect 3. Follow redirect -> server responds with 'real' page. 4. Do some work... 5. Invalidate session to logout; send browser to / with javascript using window.location() 6. Request / -> server responds with login page. 7. Login ok -> server authenticates and sends 302 redirect 8. Follow redirect -> server responds with 304 -> browser renders last seen version of URL: login page. The result of step 8 should be to display the 'real' page. Refreshing the page (Ctrl-R) loads the 'real' page fine confirming authentication worked ok and that the browser is incorrectly using a cached copy. The same behaviour is also seen in Google Chrome, although Internet explorer works as expected. Possible cause? ----------------------- I'm wondering if tomcat is getting confused with the If-Modified-Since or If-None-Match values on the requests? The requests made in steps 3 & 8 are identical (all headers the same).