tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 12428] - request.getUserPrincipal(): Misinterpretation of specification?
Date Sat, 02 Jun 2007 08:08:52 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=12428>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=12428





------- Additional Comments From werner.donne@re.be  2007-06-02 01:08 -------
When the authentication fails the server can return a 401, because the
spontaneously provided Authorization header is wrong (RFC 2617 section 1.2).
Since the server didn't require authentication for the method, the User Agent
would have volunteered it, perhaps trying to get in and call other methods for
which authentication is required. After having received the 401, the User Agent
can continue interacting with the server unauthenticated. In this scenario the
server should always check a provided Authorization header, even if the method
doesn't require authentication.

Evaluating whether the current behaviour is compliant with the spec or not
depends. The starting point is the specification of the
HttpServletRequest.getUserPrincipal method. Looking at that alone makes the
behaviour non-compliant. Including SRV.12.9 makes it more difficult. Does
SRV.12.9 apply in this case? In don't think so, because it says nothing about
spontaneous authentication, which is allowed.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message