Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 94756 invoked from network); 2 Jun 2007 08:09:18 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 2 Jun 2007 08:09:18 -0000 Received: (qmail 49819 invoked by uid 500); 2 Jun 2007 08:09:18 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 49781 invoked by uid 500); 2 Jun 2007 08:09:18 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 49770 invoked by uid 500); 2 Jun 2007 08:09:17 -0000 Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org Received: (qmail 49767 invoked by uid 99); 2 Jun 2007 08:09:17 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Jun 2007 01:09:17 -0700 X-ASF-Spam-Status: No, hits=-99.5 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Jun 2007 01:09:13 -0700 Received: by brutus.apache.org (Postfix, from userid 33) id 2795C71418E; Sat, 2 Jun 2007 01:08:52 -0700 (PDT) From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Subject: DO NOT REPLY [Bug 12428] - request.getUserPrincipal(): Misinterpretation of specification? In-Reply-To: X-Bugzilla-Reason: AssignedTo Message-Id: <20070602080853.2795C71418E@brutus.apache.org> Date: Sat, 2 Jun 2007 01:08:52 -0700 (PDT) X-Virus-Checked: Checked by ClamAV on apache.org DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=12428 ------- Additional Comments From werner.donne@re.be 2007-06-02 01:08 ------- When the authentication fails the server can return a 401, because the spontaneously provided Authorization header is wrong (RFC 2617 section 1.2). Since the server didn't require authentication for the method, the User Agent would have volunteered it, perhaps trying to get in and call other methods for which authentication is required. After having received the 401, the User Agent can continue interacting with the server unauthenticated. In this scenario the server should always check a provided Authorization header, even if the method doesn't require authentication. Evaluating whether the current behaviour is compliant with the spec or not depends. The starting point is the specification of the HttpServletRequest.getUserPrincipal method. Looking at that alone makes the behaviour non-compliant. Including SRV.12.9 makes it more difficult. Does SRV.12.9 apply in this case? In don't think so, because it says nothing about spontaneous authentication, which is allowed. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org