Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8229

When Elytron is used redirect from j_security_check uses HTTP code 303

XMLWordPrintable

    • Hide

      Run FormAuthUnitTestCase in AS TS with Elytron profile (against full distribution due to WFLY-8228):

      cd testsuite/integration/web
mvn clean install -Dtest=FormAuthUnitTestCase -Delytron -Djboss.dist=/path/to/eap-or-wildfly-full-distro
      Show
      Run FormAuthUnitTestCase in AS TS with Elytron profile (against full distribution due to WFLY-8228 ): cd testsuite/integration/web mvn clean install -Dtest=FormAuthUnitTestCase -Delytron -Djboss.dist=/path/to/eap-or-wildfly-full-distro

      Form authentication backed by Elytron in the web applications uses status code 303 (See Other) to redirect user after processing /j_security_check.

      We see two serious issues here:

      • Legacy security uses status code 302 (Moved Temporarily/Found) to handle this redirect and existing applications/clients may behave differently for these different codes. (e.g. default behavior of Apache HTTP client is to follow redirect for 303, but not to follow for 302)
      • The 303 status code was introduced in HTTP 1.1 so it's not part of HTTP 1.0, but the 303 is returned also for HTTP/1.0 request as a HTTP/1.0 response, which is wrong.

            darran.lofthouse@redhat.com Darran Lofthouse
            josef.cacek@gmail.com Josef Cacek (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: