use "FORM" auth-method for MCRContainerLogin

Description

It was noticed recently that we cannot re-login the user on every request, if MCRServlet3LoginServlet is used. This will change the sessionId of the HTTPSession with every request that will lead to lost sessions.

For sake of correctness we have to use the authenticate() method of request here. Tomcat currently (8.0.30) lacks a feature. Calling authenticate() after a successful login will trigger a DIGEST authentication, as it is defined to use for MCRContainerLogin.

If we change the auth-method to "FORM" it will make the container login a bit more insecure, as password is transmitted over the wire. As this is the case also for local users it will not open "new" security holes. If "FORM" is used, Tomcat allows authenticate() to use the credentials of login(). This is what we want for sure!

Environment

None

Assignee

Thomas Scheffler

Reporter

Thomas Scheffler

Labels

None

URL

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Medium
Configure