-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter,
Peter Crowther wrote: |> From: Christopher Schultz [mailto:[EMAIL PROTECTED] |> |> Tomcat goes out of its way to save the POST body. Here's the code |> from FormAuthenticator | | [elided] | |> This method is called before the login form is shown. Note the |> special case for POST requests. | | This is purely for forms authentication, i.e. where Tomcat is logging | the user in. The OP didn't state either way about forms | authentication, and I suspect isn't using it. | | This code is not used in other cases, for example when merely | redirecting a user to a confidential (i.e. SSL) resource. Boy is my face red ;) I was thinking this was an authentication boundary, not a protocol boundary. You are absolutely right: this is a simple redirect. Interestingly enough, the servlet specification says nothing about how to actually handle a request that does not meet the requirements of a transport-guarantee. In securityfilter, we mimic Tomcat 5.5's behavior, which is to simply redirect (most often a 302... depends on the implementation of HttpServletResponse.sendRedirect) to the same URL that was originally requested (which results in dropping any POST content). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfMEnEACgkQ9CaO5/Lv0PA0rQCgtMs9tyG0Wu+d+Wry+8JSJkjH 3xcAn3cHOllfBQIQcjkK8Iw/MoiDPDq/ =fS+7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
