-
Bug
-
Resolution: Done
-
Major
-
1.2.9.Final
-
None
It is impossible to log in to a web application that is configured to use URL based session tracking and FORM based login.
Opening a secured page redirects correctly to the login page, and login form action is produced correctly with HttpServletResponse.encodeURL: result is "j_security_check;jsessionid=xxx".
However, undertow refuses to handle the request to j_security_check;jsessionid=xxxx. The result is HTTP error 405, POST not supported.
Similar problem occurs if the login form is posted using GET, or the login page forwards to j_security_check using sendRedirect with URL parameters. In this case undertow responds to j_security_check?foo=bar&and=so_on with HTTP error 404.