tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rémy Maucherat <r...@apache.org>
Subject Re: svn commit: r1817105 - in /tomcat/trunk: java/org/apache/catalina/core/ApplicationPushBuilder.java webapps/docs/changelog.xml
Date Mon, 04 Dec 2017 20:54:14 GMT
On Mon, Dec 4, 2017 at 9:22 PM, Mark Thomas <markt@apache.org> wrote:

> On 04/12/17 19:50, Mark Thomas wrote:
> > On 04/12/17 18:03, Rémy Maucherat wrote:
>
> <snip/>
>
> >> Another "feature" that looks almost impossible to implement I guess.
> >
> > Hmm. I only read the first part of the Javadoc. I'm not really sure what
> > the second part is getting at with "... a container generated token...".
> > I'll have a look back at the archive to see if there was any EG
> > discussion on this point.
>
> That second part was part of the original proposal and there was never
> any discussion about what it actually meant.
>
> Thinking about it, I think we could do the following and be spec compliant:
>
> - Set a header e.g. "Authorization: x-push"
> - Copy the authenticated Principal from the base request to the
>   pushTarget
>
> That meets the requirements:
> - "an Authorization header will be set with a container generated token"
> - "result in equivalent Authorization for the pushed request"
>
> The spec does imply that it is the token that results in authorization
> but it doesn't actually mandate it. I think there is enough flexibility
> in the wording that the above would be OK.
>
> Thoguhts?
>
> Indeed, it doesn't say that it has to be an autorization header that would
normally work, only a token.

Rémy

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message