tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cos...@eng.sun.com
Subject Re: Realm.authenticate() failure
Date Fri, 18 Feb 2000 18:46:10 GMT
>  > I disagree with your statement that an invalid username/password/cert is
>  > an exceptional situation.  In real life, it happens all the time.
> 
> Of course this borders on a philosophical discussion, but I would say
> that, in the context of the login use case, failing to log in is not
> the normal path through the use case, so it is "exceptional".

The "normal path" to access a protected page is to try first
without password, get a 403 with the authentication Realm and then send
user/password. 

To avoid the philosophy - it's also a matter of performance, Exceptions
are very expensive. 

We should minimze the number of "flow control via Exception" in the
critical path ( that includes authorization ). Returning a Status is
_not_ so bad programming.

( that's the reason RequestInterceptor returns int status, while 
ContextInterceptor throws Exceptions )

Costin




Mime
View raw message