Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-997

Elytron form authentication does not store POST data

    XMLWordPrintable

Details

    • Hide

      Run FormAuthUnitTestCase in AS TS with Elytron profile (against full distribution due to WFLY-8228):

      cd testsuite/integration/web
mvn clean install -Dtest=org.jboss.as.test.integration.web.formauth.FormAuthUnitTestCase#testPostDataFormAuth -Delytron -Dwildfly.tmp.enable.elytron.profile.tests=true -Djboss.dist=/path/to/eap-or-wildfly-full-distro
      Show
      Run FormAuthUnitTestCase in AS TS with Elytron profile (against full distribution due to WFLY-8228 ): cd testsuite/integration/web mvn clean install -Dtest=org.jboss.as.test.integration.web.formauth.FormAuthUnitTestCase#testPostDataFormAuth -Delytron -Dwildfly.tmp.enable.elytron.profile.tests= true -Djboss.dist=/path/to/eap-or-wildfly-full-distro

    Description

      Form authentication backed by Elytron in the web applications uses status code 303 (See Other) to redirect user after processing /j_security_check.

      We see two serious issues here:

      • Legacy security uses status code 302 (Moved Temporarily/Found) to handle this redirect and existing applications/clients may behave differently for these different codes. (e.g. default behavior of Apache HTTP client is to follow redirect for 303, but not to follow for 302)
      • The 303 status code was introduced in HTTP 1.1 so it's not part of HTTP 1.0, but the 303 is returned also for HTTP/1.0 request as a HTTP/1.0 response, which is wrong.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9109 When Elytron is used redirect from j_security_check uses HTTP code 303

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: