tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 12428] - request.getUserPrincipal(): Misinterpretation of specification?
Date Fri, 25 May 2007 10:43:34 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=12428>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=12428





------- Additional Comments From werner.donne@re.be  2007-05-25 03:43 -------
I disagree with the assesment of this bug. Tomcat's behaviour is based on the
following:

<spec-quote>
SRV.12.9 Default Policies
By default, authentication is not needed to access resources. Authentication is
needed for requests for a web resource collection only when specified by the
deployment descriptor.
</spec-quote>

Authentication can also be provided when it is not mandated by the deployment
descriptor. The spec quote doesn't say that authentication is forbidden when it
is not specified in the deployment descriptor.

When authentication is provided, no matter how and why, the documentation of the
getUserPrincipal method applies.

The use case for this is any situation where authorisation is based on
application data. When some application logic has found that unauthenticated
access to a resource is not allowed it can require authentication and reconsider
its access control descision. The status code 401 can also be returned by the
application. How would you otherwise implement RFC 3744 for example?

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message