tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Form Authentication and status (response) code
Date Fri, 02 Sep 2011 21:36:13 GMT
Hash: SHA1


On 9/1/2011 7:06 PM, Jess Holle wrote:
> So form-based authentication is an obnoxious mutt -- but a mutt
> that everyone seems to have fallen in love with.
> This isn't Tomcat's fault, however, and Tomcat is doing the normal
> thing by returning a 200 here.

The servlet spec (section 13.6.3 "Form Based Authentication") has the
whole process laid out, except that they don't say what the HTTP
response code should be when a request for a protected resource
arrives and the login form should be "sent to the client".

Later, it says:

If authentication fails, the error page is returned using either a
forward or a redirect, and the status code of the response is set to 200.

Ignoring the fact that you can't do a redirect using a 200 response,
it's clear that there is no "unauthenticated" or "forbidden" response
code to be used, here. Presumably, the decision to use response code
200 was drawn from this section as well as practical considerations
(being able to prohibit the login form from being directly accessible
to remote clients for instance) and past user input (I think Tomcat
used to issue a redirect, but now does an internal forward and
responds with 200).

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message