Elytron form authentication does not store POST data ---------------------------------------------------- Key: ELY-997 URL: https://issues.jboss.org/browse/ELY-997 Project: WildFly Elytron Issue Type: Bug Components: Authentication Mechanisms Affects Versions: 1.1.0.Beta28 Reporter: Jan Kalina Assignee: Jan Kalina Priority: Blocker Labels: authentication, eap71_alpha, form, http, servlet Form authentication backed by Elytron in the web applications uses status code 303 (See Other) to redirect user after processing /j_security_check. We see two serious issues here: * Legacy security uses status code 302 (Moved Temporarily/Found) to handle this redirect and existing applications/clients may behave differently for these different codes. (e.g. default behavior of Apache HTTP client is to follow redirect for 303, but not to follow for 302) * The 303 status code was introduced in HTTP 1.1 so it's not part of HTTP 1.0, but the 303 is returned also for HTTP/1.0 request as a HTTP/1.0 response, which is wrong.