tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 12428] request.getUserPrincipal(): Misinterpretation of specification?
Date Thu, 16 Dec 2010 19:32:42 GMT

--- Comment #24 from Werner Donn <> 2010-12-16 14:32:26 EST ---
Sessions don't solve the problem and doesn't make it comply to the spec. The
container is not the only party that can decide if authentication is necessary.
The application can do this too. Even if no credentials were provided
spontaneously by the client, the application could set the status code to 401.
The client would then reissue the request with credentials and the application
couldn't anything else but return 401 again, because the principal is not
passed through by Tomcat as the resource is not declared as protected in

What were the issues with RFC 2617?

The fact that it wouldn't work for DIGEST authentication is not relevant. We're
talking about a valid scenario for Basic authentication.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message