On Mon, Dec 4, 2017 at 9:22 PM, Mark Thomas <ma...@apache.org> wrote:
> On 04/12/17 19:50, Mark Thomas wrote: > > On 04/12/17 18:03, Rémy Maucherat wrote: > > <snip/> > > >> Another "feature" that looks almost impossible to implement I guess. > > > > Hmm. I only read the first part of the Javadoc. I'm not really sure what > > the second part is getting at with "... a container generated token...". > > I'll have a look back at the archive to see if there was any EG > > discussion on this point. > > That second part was part of the original proposal and there was never > any discussion about what it actually meant. > > Thinking about it, I think we could do the following and be spec compliant: > > - Set a header e.g. "Authorization: x-push" > - Copy the authenticated Principal from the base request to the > pushTarget > > That meets the requirements: > - "an Authorization header will be set with a container generated token" > - "result in equivalent Authorization for the pushed request" > > The spec does imply that it is the token that results in authorization > but it doesn't actually mandate it. I think there is enough flexibility > in the wording that the above would be OK. > > Thoguhts? > > Indeed, it doesn't say that it has to be an autorization header that would normally work, only a token. Rémy
