Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9109

When Elytron is used redirect from j_security_check uses HTTP code 303

XMLWordPrintable

    • Hide

      Run FormAuthUnitTestCase in AS TS with Elytron profile (against full distribution due to WFLY-8228):

      cd testsuite/integration/web
mvn clean install -Dtest=org.jboss.as.test.integration.web.formauth.FormAuthUnitTestCase -Delytron -Dwildfly.tmp.enable.elytron.profile.tests=true -Djboss.dist=/path/to/eap-or-wildfly-full-distro
      Show
      Run FormAuthUnitTestCase in AS TS with Elytron profile (against full distribution due to WFLY-8228 ): cd testsuite/integration/web mvn clean install -Dtest=org.jboss.as.test.integration.web.formauth.FormAuthUnitTestCase -Delytron -Dwildfly.tmp.enable.elytron.profile.tests= true -Djboss.dist=/path/to/eap-or-wildfly-full-distro

      Form authentication backed by Elytron in the web applications uses status code 303 (See Other) to redirect user after processing /j_security_check.

      We see two serious issues here:

      • Legacy security uses status code 302 (Moved Temporarily/Found) to handle this redirect and existing applications/clients may behave differently for these different codes. (e.g. default behavior of Apache HTTP client is to follow redirect for 303, but not to follow for 302)
      • The 303 status code was introduced in HTTP 1.1 so it's not part of HTTP 1.0, but the 303 is returned also for HTTP/1.0 request as a HTTP/1.0 response, which is wrong.

        1. enable-elytron.cli
          6 kB

              jkalina@redhat.com Jan Kalina (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: