On 2/5/2012 2:53 PM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jess,
On 2/5/12 1:23 PM, Jess Holle wrote:
Certainly this is an optional / quality of implementation feature.
I'm perfectly aware that other form-based authentication solutions
will not save POST data and may even fail to replay requests at
all. That's fine and good. The application design is not
dependent on this behavior. Rather, Tomcat documentation says this
should work and it doesn't -- that's the issue.
FWIW, SecurityFilter also provides similar capabilities. I'd be
shocked if this wasn't industry-wide capability for servlet containers.
I was considering form-based authentication on an even broader basis --
as one can do this in the web server as instead of in the servlet engine.
That said, yes, most solutions do cover this base -- and Tomcat says it
does, but doesn't if you use an AJP connector.
Fortunately the fix is trivial to patch in.
--
Jess Holle
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org