Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3B28D77E6 for ; Fri, 2 Sep 2011 21:36:55 +0000 (UTC) Received: (qmail 7351 invoked by uid 500); 2 Sep 2011 21:36:51 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 7281 invoked by uid 500); 2 Sep 2011 21:36:50 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 7219 invoked by uid 99); 2 Sep 2011 21:36:50 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Sep 2011 21:36:50 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [76.96.27.211] (HELO qmta11.emeryville.ca.mail.comcast.net) (76.96.27.211) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Sep 2011 21:36:41 +0000 Received: from omta18.emeryville.ca.mail.comcast.net ([76.96.30.74]) by qmta11.emeryville.ca.mail.comcast.net with comcast id TxTM1h0021bwxycABxcEiD; Fri, 02 Sep 2011 21:36:14 +0000 Received: from [192.168.1.47] ([71.254.92.207]) by omta18.emeryville.ca.mail.comcast.net with comcast id Txcv1h00C4USNof8excxLb; Fri, 02 Sep 2011 21:37:07 +0000 Message-ID: <4E614C4D.2070705@christopherschultz.net> Date: Fri, 02 Sep 2011 17:36:13 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1 MIME-Version: 1.0 To: Tomcat Users List CC: Jess Holle , Mabry Tyson Subject: Re: Form Authentication and status (response) code References: <4E600BFA.3000804@AI.SRI.COM> <4E600FF3.90500@ptc.com> In-Reply-To: <4E600FF3.90500@ptc.com> X-Enigmail-Version: 1.3.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jess, On 9/1/2011 7:06 PM, Jess Holle wrote: > So form-based authentication is an obnoxious mutt -- but a mutt > that everyone seems to have fallen in love with. > > This isn't Tomcat's fault, however, and Tomcat is doing the normal > thing by returning a 200 here. The servlet spec (section 13.6.3 "Form Based Authentication") has the whole process laid out, except that they don't say what the HTTP response code should be when a request for a protected resource arrives and the login form should be "sent to the client". Later, it says: " If authentication fails, the error page is returned using either a forward or a redirect, and the status code of the response is set to 200. " Ignoring the fact that you can't do a redirect using a 200 response, it's clear that there is no "unauthenticated" or "forbidden" response code to be used, here. Presumably, the decision to use response code 200 was drawn from this section as well as practical considerations (being able to prohibit the login form from being directly accessible to remote clients for instance) and past user input (I think Tomcat used to issue a redirect, but now does an internal forward and responds with 200). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5hTEwACgkQ9CaO5/Lv0PBpKACbB5A+XQ42NDT9gHSgR7jCDEAz 5i0An2JZMwf+jrrpwuQrk6AtDWbpOYpN =XYT8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org