tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints
Date Sun, 24 Apr 2005 16:26:39 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34560>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560





------- Additional Comments From quartz12h@yahoo.com  2005-04-24 18:26 -------
Thank you for your dedication and research.
I read that servlet spec 12.8.

It is very clear to me that the transport constraint is orthogonal to the
authentication constraint.

That is, a 'confidential' transport may not obviously require authentication.
That is especially true for web site that are fully https to avoid mixed
secure/unsecure content warnings on browsers, while allowing decent caching for
ressources that do not need authentication/autorization, like js, css, gifs...

I'm not suggesting to change any of the current logic surrounding
confidential/integral/none. I'm highlighting that the 'de-caching' headers must
only be applied when the authentication is required, which has nothing to do
with transport contraints.

Meanwhile, the http spec is stating that autorization must be challenged
everytime and resources, if cached, cannot bypass the authentication. It doesn't
mention anything specific to the ssl nature (or else) of the lower layer
transporting http content.

Thanks again.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message