Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 22045 invoked from network); 24 Apr 2005 16:26:50 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 24 Apr 2005 16:26:50 -0000 Received: (qmail 97883 invoked by uid 500); 24 Apr 2005 16:27:14 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 96931 invoked by uid 500); 24 Apr 2005 16:27:11 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 96915 invoked by uid 99); 24 Apr 2005 16:27:11 -0000 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from ajax-1.apache.org (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.28) with ESMTP; Sun, 24 Apr 2005 09:27:11 -0700 Received: by ajax.apache.org (Postfix, from userid 99) id 535302DE; Sun, 24 Apr 2005 18:26:39 +0200 (CEST) From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Subject: DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints X-Bugzilla-Reason: AssignedTo Message-Id: <20050424162639.535302DE@ajax.apache.org> Date: Sun, 24 Apr 2005 18:26:39 +0200 (CEST) X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34560 ------- Additional Comments From quartz12h@yahoo.com 2005-04-24 18:26 ------- Thank you for your dedication and research. I read that servlet spec 12.8. It is very clear to me that the transport constraint is orthogonal to the authentication constraint. That is, a 'confidential' transport may not obviously require authentication. That is especially true for web site that are fully https to avoid mixed secure/unsecure content warnings on browsers, while allowing decent caching for ressources that do not need authentication/autorization, like js, css, gifs... I'm not suggesting to change any of the current logic surrounding confidential/integral/none. I'm highlighting that the 'de-caching' headers must only be applied when the authentication is required, which has nothing to do with transport contraints. Meanwhile, the http spec is stating that autorization must be challenged everytime and resources, if cached, cannot bypass the authentication. It doesn't mention anything specific to the ssl nature (or else) of the lower layer transporting http content. Thanks again. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org