Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8229

When Elytron is used redirect from j_security_check uses HTTP code 303

XMLWordPrintable

    • Hide

      Run FormAuthUnitTestCase in AS TS with Elytron profile (against full distribution due to WFLY-8228):

      cd testsuite/integration/web
      mvn clean install -Dtest=FormAuthUnitTestCase -Delytron -Djboss.dist=/path/to/eap-or-wildfly-full-distro
      
      Show
      Run FormAuthUnitTestCase in AS TS with Elytron profile (against full distribution due to WFLY-8228 ): cd testsuite/integration/web mvn clean install -Dtest=FormAuthUnitTestCase -Delytron -Djboss.dist=/path/to/eap-or-wildfly-full-distro

      Form authentication backed by Elytron in the web applications uses status code 303 (See Other) to redirect user after processing /j_security_check.

      We see two serious issues here:

      • Legacy security uses status code 302 (Moved Temporarily/Found) to handle this redirect and existing applications/clients may behave differently for these different codes. (e.g. default behavior of Apache HTTP client is to follow redirect for 303, but not to follow for 302)
      • The 303 status code was introduced in HTTP 1.1 so it's not part of HTTP 1.0, but the 303 is returned also for HTTP/1.0 request as a HTTP/1.0 response, which is wrong.

              darran.lofthouse@redhat.com Darran Lofthouse
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: