Josef Cacek created WFLY-8229:
---------------------------------
Summary: When Elytron is used redirect from j_security_check uses HTTP code
303
Key: WFLY-8229
URL:
https://issues.jboss.org/browse/WFLY-8229
Project: WildFly
Issue Type: Bug
Components: Web (Undertow), Security
Reporter: Josef Cacek
Assignee: Stuart Douglas
Priority: Blocker
Form authentication backed by Elytron in the web applications uses status code 303 (See
Other) to redirect user after processing /j_security_check.
We see two serious issues here:
* Legacy security uses status code 302 (Moved Temporarily/Found) to handle this redirect
and existing applications/clients may behave differently for these different codes. (e.g.
default behavior of Apache HTTP client is to follow redirect for 303, but not to follow
for 302)
* The 303 status code was introduced in HTTP 1.1 so it's not part of HTTP 1.0, but the
303 is returned also for HTTP/1.0 request as a HTTP/1.0 response, which is wrong.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)