tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: Form Authentication and status (response) code
Date Sat, 03 Sep 2011 16:32:03 GMT
2011/9/2 Mabry Tyson <>:
> Summary: When requiring form authentication, Tomcat responds to an
> unauthenticated GET request with a HTTP status code of 200 (OK) and the
> login page.
> I believe that to be in violation of the HTTP standards.
> The problem:  Software makes a GET request to a web server.  It gets back a
> 200 status code.  By RFC 2616, that code indicates "the request has
> succeeded".
> The software then takes the resulting page as the successful response to the
> GET request.   However, in some cases this response is NOT a successful
> response
> but is instead a login form.
> By using a 200 status code, Tomcat is misrepresenting that the login form is
> the response to the request.   My believe is a 4xx code (client error) is
> appropriate, or possibly a 3xx code (Redirection) might be appropriate.
>  Unfortunately, the RFC indicates that a 401 (Unauthorized) response MUST
> have a header that is only appropriate for basic or digest authentication.
>  So a status code of 401 is not legal in this situation.

neither is 403 or 404. Plus add to that that certain web browser (IE)
has a habit to display his own error page instead on the one provided
by the server.

The response code 200 tells that server is returning some valid data
(a HTML page) that has to be displayed to the user. There might be
other headers along that (e.g. to forbid caching).

What is your software trying to do? It is trying to crawl the web
site?  Maybe you can detect the presence of login form on the HTML
page that is returned to you?

> P.S.  For anyone maintaining the examples, shouldn't vendor examples
> demonstrate the best practices?  I'd suggest you indicate the Content-Type
> and the charset.

The best way to make examples better is to prepare and propose patches
(through Bugzilla).

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message