[jboss-jira] [JBoss JIRA] Created: (JBAS-6175) Form-based WAR authentication - redirect fails second time round.

Keith Johnston (JIRA) jira-events at lists.jboss.org
Fri Nov 7 07:08:36 EST 2008 

Form-based WAR authentication - redirect fails second time round.
-----------------------------------------------------------------

                 Key: JBAS-6175
                 URL: https://jira.jboss.org/jira/browse/JBAS-6175
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Security, Web (Tomcat) service
    Affects Versions: JBossAS-4.2.2.GA
         Environment: Win XP; JDK 1.6.0_07; Firefox 3.0.3
            Reporter: Keith Johnston
            Assignee: Anil Saldhana


When using standard J2EE authentication of a WAR file redirects fail to return the correct page.

Authentication proceeds as follows:
 1. Request /                      ->  server responds with login page.
 2. Login ok                        ->  server authenticates and sends 302 redirect
 3. Follow redirect             ->  server responds with 'real' page.
 4. Do some work...
 5. Invalidate session to logout; send browser to / with javascript using window.location()
 6. Request /                      ->  server responds with login page.
 7. Login ok                        ->  server authenticates and sends 302 redirect
 8. Follow redirect             ->  server responds with 304 -> browser renders last seen version of URL: login page.

The result of step 8 should be to display the 'real' page.
Refreshing the page (Ctrl-R) loads the 'real' page fine confirming authentication worked ok and that the browser is incorrectly using a cached copy.
The same behaviour is also seen in Google Chrome, although Internet explorer works as expected.

Possible cause?
-----------------------
I'm wondering if tomcat is getting confused with the If-Modified-Since or If-None-Match values on the requests? The requests made in steps 3 & 8 are identical (all headers the same).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list