[jboss-jira] [JBoss JIRA] (ELY-997) Elytron form authentication does not store POST data
Jan Kalina (JIRA)
issues at jboss.org
Thu Mar 9 09:17:00 EST 2017
[ https://issues.jboss.org/browse/ELY-997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Kalina moved JBEAP-9455 to ELY-997:
---------------------------------------
Project: WildFly Elytron (was: JBoss Enterprise Application Platform)
Key: ELY-997 (was: JBEAP-9455)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Authentication Mechanisms
(was: Security)
(was: Web (Undertow))
Affects Version/s: 1.1.0.Beta28
(was: 7.1.0.DR12)
> Elytron form authentication does not store POST data
> ----------------------------------------------------
>
> Key: ELY-997
> URL: https://issues.jboss.org/browse/ELY-997
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Mechanisms
> Affects Versions: 1.1.0.Beta28
> Reporter: Jan Kalina
> Assignee: Jan Kalina
> Priority: Blocker
> Labels: authentication, eap71_alpha, form, http, servlet
>
> Form authentication backed by Elytron in the web applications uses status code 303 (See Other) to redirect user after processing /j_security_check.
> We see two serious issues here:
> * Legacy security uses status code 302 (Moved Temporarily/Found) to handle this redirect and existing applications/clients may behave differently for these different codes. (e.g. default behavior of Apache HTTP client is to follow redirect for 303, but not to follow for 302)
> * The 303 status code was introduced in HTTP 1.1 so it's not part of HTTP 1.0, but the 303 is returned also for HTTP/1.0 request as a HTTP/1.0 response, which is wrong.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list