Hi,

I am working on container managed authentication using a form based login. I have configured web security as follows in web.xml:

<error-page>
<error-code>400</error-code>
<error-code>403</error-code>
<error-code>404</error-code>
<error-code>500</error-code>
<location>/index.jsp</location>
</error-page>
<security-constraint>
<web-resource-collection>
<web-resource-name>Whole site</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>SecDomain</realm-name>
<form-login-config>
<form-login-page>/Login.seam</form-login-page>
<form-error-page>/authorization-error.seam</form-error-page>
</form-login-config>
</login-config>

I have a JSF page in the secured realm (/secure/) from where I am calling a EJB3 stateless session bean using JBoss Seam.

It is working fine if the session has not timed out. However, if the session has got timed out and after which if I try to call a method on a SLSB, I get the following error:

HTTP Status 403 - The request body was too large to be cached during the authentication process
________________________________________
type Status report
message The request body was too large to be cached during the authentication process
description Access to the specified resource (The request body was too large to be cached during the authentication process) has been forbidden.
________________________________________
Apache Tomcat/5.5.20

Going through the server logs, I find the following output:

2006-11-03 19:26:33,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Save request in session '277A5C3578B0DDDF9DA12DEEA47985AB'
2006-11-03 19:26:33,787 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Request body too big to save during authentication
2006-11-03 19:26:33,787 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test

Going through the source for the FormAuthenticator Class, I found that the above message was displayed in the authenticate method, the snapshot of which is as follows:

// No -- Save this request and redirect to the form login page
if (!loginAction) {
session = request.getSessionInternal(true);
if (log.isDebugEnabled())
log.debug("Save request in session '" + session.getIdInternal() + "'");
try {
saveRequest(request, session);
} catch (IOException ioe) {
log.debug("Request body too big to save during authentication");
response.sendError(HttpServletResponse.SC_FORBIDDEN,
sm.getString("authenticator.requestBodyTooBig"));
return (false);
}
forwardToLoginPage(request, response, config);
return (false);
}

Also, I noticed that the saveRequest method does not throw any exception in the previous versions.

Inside the saveRequest method, the highlighted line in the following code snippet is the place where the exception is thrown:

if ("POST".equalsIgnoreCase(request.getMethod())) {
 ByteChunk body = new ByteChunk();
 body.setLimit(request.getConnector().getMaxSavePostSize());

 byte[] buffer = new byte[4096];
 int bytesRead;
 InputStream is = request.getInputStream();

 while ( (bytesRead = is.read(buffer) ) >= 0) {
 body.append(buffer, 0, bytesRead);
 }
 saved.setBody(body);
}

I understand that by default the getMaxSavePostSize() returns 2MB .

I would have expected Tomcat to have redirected me to the login page since, the session has expired.

Note:

I am using JBoss 4.0.5 GA, Seam 1.0.1 GA and Tomcat 5.5.20.

regards
sriraman.