General J2EE: unauthenticated POST and j_security_check (trying again)

  1. (hope this post isn't a repeat of my previous attempts)

    We are developing applications for IBM WebSphere 6 with global security and SSO enabled. Login sessions are set to timeout after (I think) 30 minutes of activity. In the application I am developing, there is a particular form which legitimately could take users longer than 30 minutes to fill out (mostly due to the need to research information at various points before entering data on-screen). This is where our problem comes in:

    Following HTTP semantics, the data on the form is submitted with method="post". If the user's login has expired, WebSphere preserves the request information, and redirects to the login page (we are using form-based login). After the user authenticates, they are redirected back to the original request. All this is behaving as expected.

    The problem is that j_security_check seems to preserve only the URL portion of the request. Since the form was POSTed, this means that all its form values are in the HTTP headers, rather than the URL. Given that there are some pre-populated hidden fields my application expects to be there, the newly authenticated request then bombs with a nasty unexpected error. (Technically, it fails when the associated struts action attempts to convert one of these prefilled hidden values, which are null, to a number).

    I could convert the form to use GET, even though that breaks the semantics of HTTP as I understand them, but the form is large enough that I am concerned about the length of the resulting request URL. The only other option I can think of is to realize the form is empty (after re-authentication) and direct the user to a less cryptic error and basically tell them -- sorry, we just lost all the work you did.

    Is there any way to get j_security_check to preserve HTTP header information and re-request it? Are there any other good ways of dealing with this problem?

    Thanks in advance!
  2. As a temporary measure, I changed the form to GET, but this is obviously not what we really want. Does anyone have any ideas on this?