tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Maurizio Lotauro" <>
Subject RE: Authentication behaviour
Date Wed, 01 Oct 2008 15:18:41 GMT
On 30 Sep 2008 at 18:27, Caldarale, Charles R wrote:

> > From: Maurizio Lotauro
> > []
> > Subject: Authentication behaviour
> >
> > The server answers with 401 before it has received the
> > whole content send from client. In fact it seems that
> > the answer become right after the server has received
> > the http header.
> Looks proper to me for basic authentication.  As soon as the reference
> to the protected resource is recognized, the 401 is sent; it's up to
> the client to resend all the input with the user credentials on the
> next request.
> Read the HTTP Authentication RFC:

I already readed this rfc and now I have read it again, but I'm unable to found where it 
describe that the server can answer with 401 before the client has finished  to send all data.
In that case the client must anyway send the rest of data before making a new request (or

close the connection). I don't see any advantage to "early" send the 401 (that was what 
caused the problem to my client).

The rfc 2616, section 6, write: "After receiving and interpreting a request message, a server

responds with an HTTP response message.".
The request message include the message body (see section 5).

It seem's to me that send the response before receive the whole request doesn't follow the

What do you think?


> If you're using form-based authentication, then the server captures
> any POST data submitted with the request, and uses that following
> successful authentication.

No, my is a generic http client and use only the standard http authentication (actually it

supports only basic and ntlm).

Bye, Maurizio.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message