[undertow-dev] FormAuthentication -> handleRedirectback method
Anil Saldhana
Anil.Saldhana at redhat.com
Fri Dec 20 16:04:21 EST 2013
On 12/20/2013 04:36 AM, Stuart Douglas wrote:
>
> ----- Original Message -----
>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
>> To: undertow-dev at lists.jboss.org
>> Sent: Thursday, 19 December, 2013 6:44:49 PM
>> Subject: Re: [undertow-dev] FormAuthentication -> handleRedirectback method
>>
>> Scratch what I just said.
>>
>> FormAuthentication.java uses cookies while
>> ServletFormAuthentication.java uses session.
>>
>> I think the reason is that the former has no facility for Servlet
>> httpSession.
>>
> I will change the non-servlet one to also use the session.
>
I am unsure if you want to provide the form authentication feature to
non-servlet based use cases. I
don't think it really is used in HTTP based services - DIGEST,BASIC and
CLIENT-CERT are more prominent in non-servlet based use cases.
>
>> On 12/19/2013 11:30 AM, Anil Saldhana wrote:
>>> Probably not going to happen. Just use httpsession. :)
>>>
>>> On 12/19/2013 11:27 AM, Anil Saldhana wrote:
>>>> Thinking further, this may inhibit a case of cookie injection that hacks
>>>> the location url.
>>>> After form authentication, the server blindly redirects to the location
>>>> read from the cookie.
>>>>
>>>> On 12/19/2013 11:24 AM, Anil Saldhana wrote:
>>>>>> Also no path is being set on the cookie. If user is using more than one
>>>>>> web app with FORM authentication
>>>>>> on the same server, this may wreck havoc.
>>>>>>
>>>>>> On 12/19/2013 11:02 AM, Anil Saldhana wrote:
>>>>>>>> Stuart,
>>>>>>>> I am unsure it is right to use cookies to remember the form
>>>>>>>> redirect
>>>>>>>> url. Traditionally, web containers (Tomcat and Jetty) have used http
>>>>>>>> session to remember the redirect url.
>>>>>>>>
>>>>>>>> If an user has turned off cookies, then it may not work.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Anil
>>>>>>
More information about the undertow-dev
mailing list