tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From alexander dosher <>
Subject Re: unauthenticated 304s - final try
Date Mon, 28 Mar 2005 18:47:34 GMT
Mark Leone sez:
> It's still worth investigating IMO. One could argue that returning to
>  an unauthorized client even the info that a resource has not changed
>  since an authenticated request was returned successfully violates 
> the authentication protection.
that's pretty much what *i* thought, anyway...

> This may have more to do with the server's authentication 
> requirements than the HTTP spec. Does anyone know if the Servlet spec
>  addresses this?

from the 2.4 Servlet spec:
> If the user is authenticated using form login and has created an HTTP
>  session, the timeout or invalidation of that session leads to the 
> user being logged out in the sense that subsequent requests must
> cause the user to be re-authenticated.

seems fairly straightforward to me.

i agree that the HTTP spec is less than optimally clear, and that this 
isn't a huge issue - it's just that it excercises a MSIE6 misfeature 
that html pages are cached, but included .js & .css files are not, 
resulting in the display of ugly & broken pages when this happens.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message