tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 12428] request.getUserPrincipal(): Misinterpretation of specification?
Date Thu, 16 Dec 2010 21:09:21 GMT

--- Comment #25 from Mark Thomas <> 2010-12-16 16:09:04 EST ---
This is a grey area of the specification. My reading of the various specs
remains that Tomcat is spec compliant. I have added this to my list of things
to ask the Servlet EG to clarify in 

I believe that a web application's fundamental behaviour should not change just
by changing the authentication mechanism. That DIGEST can't work with
pre-emptive authentication is a significant concern.

The scope of the feature is also important. This is do-able as previously
described with container managed authentication. Once the application starts to
get involved, things get more complex. However there is a way to do this in
Servlet 3.0. The application can call request.authenticate() but it needs to
make sure it checks the return code and stops any 401 going back to the client.
The application will also need to handle any IllegalStateExcpetions if the
response has already been committed.

The RFC2617 issue was mainly that a failed authentication SHOULD result in a
401 response and this feature requires that there is no 401 else the
application could end up prevent a user from accessing a page for which no
authentication is required. The SHOULD does give some leeway (it isn't a MUST)
but I'm not convinced there is a good enough reason to ignore the spec here.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message