tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 12428] request.getUserPrincipal(): Misinterpretation of specification?
Date Sat, 02 Apr 2011 08:01:11 GMT

--- Comment #31 from Werner Donn <> 2011-04-02 04:00:55 EDT ---
@Mark The relevant specs are crystal clear. If you think there is any room for
interpretation then you should provide proof of how your interpretation can be
constructed. At present we still don't know what that is.

You wonder what a "non-protected" servlet should do when the provided
credentials are wrong. That is simple, it should do nothing, because the
container will have returned a 401, which it should always do when the
credentials are wrong. That is because there is no response code for reporting
wrong credentials.

Where can there be interference? All involved parties, container and servlet,
should comply with the specifications. When the container imposes a security
constraint because it was declared in the application, the servlet won't see
anything about it.

@Chris You don't seem to understand the difference between declarative and
programmatic protection. An alternative URL doesn't provide prgrammatic
protection. Study the WebDAV ACL specification and you will see it is
impossible to implement it without this bug being fixed.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message