Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6812A8BFD for ; Sat, 3 Sep 2011 16:32:34 +0000 (UTC) Received: (qmail 74262 invoked by uid 500); 3 Sep 2011 16:32:31 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 73886 invoked by uid 500); 3 Sep 2011 16:32:30 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 73877 invoked by uid 99); 3 Sep 2011 16:32:29 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Sep 2011 16:32:29 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of knst.kolinko@gmail.com designates 209.85.212.45 as permitted sender) Received: from [209.85.212.45] (HELO mail-vw0-f45.google.com) (209.85.212.45) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Sep 2011 16:32:24 +0000 Received: by vws17 with SMTP id 17so4105958vws.18 for ; Sat, 03 Sep 2011 09:32:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=p5JjTdJELG+0NlmehCsyUIBwdElkMicrZ7a92oOfnVY=; b=SW7/9dJTdalbzrKdiVgDLdkwYtJmOoupqKACodWqTdE1OQA39ep/SvIGUcYuywExuO cqqXtUVW2X8d1X2OCOUbD092dgbCwdvuXXin06OQ1gDzTU4p/GotopOf5fAo7v62Z9fa XD9DV4b0kiBCgbjGoARwmdCeUKbb6znyprWzM= MIME-Version: 1.0 Received: by 10.52.91.174 with SMTP id cf14mr2066778vdb.168.1315067523722; Sat, 03 Sep 2011 09:32:03 -0700 (PDT) Received: by 10.52.182.5 with HTTP; Sat, 3 Sep 2011 09:32:03 -0700 (PDT) In-Reply-To: <4E600BFA.3000804@AI.SRI.COM> References: <4E600BFA.3000804@AI.SRI.COM> Date: Sat, 3 Sep 2011 20:32:03 +0400 Message-ID: Subject: Re: Form Authentication and status (response) code From: Konstantin Kolinko To: Tomcat Users List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable 2011/9/2 Mabry Tyson : > Summary: When requiring form authentication, Tomcat responds to an > unauthenticated GET request with a HTTP status code of 200 (OK) and the > login page. > I believe that to be in violation of the HTTP standards. > > The problem: =A0Software makes a GET request to a web server. =A0It gets = back a > 200 status code. =A0By RFC 2616, that code indicates "the request has > succeeded". > The software then takes the resulting page as the successful response to = the > GET request. =A0 However, in some cases this response is NOT a successful > response > but is instead a login form. > > By using a 200 status code, Tomcat is misrepresenting that the login form= is > the response to the request. =A0 My believe is a 4xx code (client error) = is > appropriate, or possibly a 3xx code (Redirection) might be appropriate. > =A0Unfortunately, the RFC indicates that a 401 (Unauthorized) response MU= ST > have a header that is only appropriate for basic or digest authentication= . > =A0So a status code of 401 is not legal in this situation. neither is 403 or 404. Plus add to that that certain web browser (IE) has a habit to display his own error page instead on the one provided by the server. The response code 200 tells that server is returning some valid data (a HTML page) that has to be displayed to the user. There might be other headers along that (e.g. to forbid caching). What is your software trying to do? It is trying to crawl the web site? Maybe you can detect the presence of login form on the HTML page that is returned to you? > P.S. =A0For anyone maintaining the examples, shouldn't vendor examples > demonstrate the best practices? =A0I'd suggest you indicate the Content-T= ype > and the charset. The best way to make examples better is to prepare and propose patches (through Bugzilla). Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org