Github user kkolinko commented on the issue:
https://github.com/apache/tomcat/pull/96
1) POST fallsback to GET, I think since RFC1945 (HTTP/1.0). Both HEAD and
POST were improvements over single GET method supported by original HTTP
protocol (0.9).
2) DefaultServlet can be used as a target of RequestDispatcher.forward(),
and such forward does not change the request method.
As such, I think that the behaviour of DefaultServlet.doPost() must not be
changed.
I am OK to change 403 to 405 as response code in DefaultServlet.doPut(),
doDelete(). It seems reasonable.
Though:
1) The code 405 is since HTTP/1.1, does not exist in HTTP/1.0
2) You are correct, that when a server uses code 405 it MUST generate an
"Allow" header as well (RFC 7231).
There are some other places where SC_METHOD_NOT_ALLOWED code is used and no
"Allow" header is generated.
3) This changes behaviour of WebdavServlet. For a readOnly WebdavServlet
it is reasonable to return 403. Though 405 is OK as well.
4) WebdavServlet has method determineMethodsAllowed(). It should be updated
accordingly.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
