what code is doing the "redirecting"; the code you are porting, or the underlying glassfish FormAuthenticator?
The Glassfish FormAuthenticator was changed to redirect as opposed to forward to the login page. This was done to ensure enforcement of a user-data-constraint on the login page.
Please describe how this change is causing user passwords to appear in the access log. I was not aware of that problem, and it is not obvious to me how the change to a redirect has caused that effect.
A possible consequence of the change is that in the absense of an exact mapping of the redirection url to the login page, a page other than the login page may (by virtue of a less specific mapping) become the target of the redirect; thus bypassing the username and password collection via the login page, the subsequent submit of the j_security_check, and the authentication.
We have had a prior discussion on the effect of the change to the FormAuthenticator in which it was proposed that the authenticator be changed such that it never redirects TO THE LOGIN PAGE during processing of an auth-constraint.
When a request is made to an auth-constrained resource that is NOT subject to a user-data-constraint, the FBL authenticator would decide whether to forward to the login page or whether to REDIRECT THE CURRENT REQUEST to a protected transport. The decision would be based on the transport characteristics of the current request and whether the login page requires a protected transport. If the characteristics of the current request are not sufficient to match the requirements of the login page the current request would be redirected to https; ultimately the request would be forwarded to the login page.
If this sounds like the issue you are facing, please file a bug in the issue tracker; which will ensure that this gets fixed.
[Message sent by forum member 'monzillo' ]
http://forums.java.net/jive/thread.jspa?messageID=373931