tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Context Path for a subdirectory
Date Fri, 30 Nov 2012 20:06:12 GMT
Leo Donahue - RDSA IT wrote:
>> -----Original Message-----
>> From: André Warnier []
>> Sent: Friday, November 30, 2012 8:20 AM
>> To: Tomcat Users List
>> Subject: Re: Context Path for a subdirectory
>>> Leo Donahue - RDSA IT wrote:
>>> If I can tag another question on the end of this thread:
>>> The Remote Address Filter has an option to set the denyStatus from 403 to
>> 404, or whatever.  In general, I'm guessing it's better to respond that a
>> restricted resource is not found, rather than respond that is it there but forbidden?
>> Purely personal opinion : by doing this, you "kind of" violate the spirit of the
>> specification, and you create some confusion at the technical level.
>> And, essentially, you are lying to the client.
>> So, in general, it is not "better".
>> But hey, it's your server, so you're free to return whatever you believe is most
>> Within limits though. For example, if somewhere you provide a link to that section
>> some people, but when they click on it, they get a "not found", they may think that
>> application isn't working, or that your documentation is incorrect.  While if they
get a
>> "forbidden", they may realise that they need to ask for a permission.
> Why is denyStatus an option?  Why would someone use it?

Well, ok, let me revise my earlier and purely personal opinion, as per RFC 2616 :

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not 
help and the request SHOULD NOT be repeated. If the request method was not HEAD and the 
server wishes to make public why the request has not been fulfilled, it SHOULD describe 
the reason for the refusal in the entity. If the server does not wish to make this 
information available to the client, the status code 404 (Not Found) can be used instead.

10.4.5 404 Not Found

The server has not found anything matching the Request-URI. No indication is given of 
whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used

if the server knows, through some internally configurable mechanism, that an old resource

is permanently unavailable and has no forwarding address. This status code is commonly 
used when the server does not wish to reveal exactly why the request has been refused, or

when no other response is applicable.

So it does say that if you want, you /can/ replace a 403 by a 404.
You are thus forgiven.
And that is probably the reason why the denyStatus option was provided : the Tomcat 
developers did read the HTTP RFC.  Clever guys, he ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message