https://issues.apache.org/bugzilla/show_bug.cgi?id=12428
--- Comment #24 from Werner Donn <werner.do...@re.be> 2010-12-16 14:32:26 EST --- Sessions don't solve the problem and doesn't make it comply to the spec. The container is not the only party that can decide if authentication is necessary. The application can do this too. Even if no credentials were provided spontaneously by the client, the application could set the status code to 401. The client would then reissue the request with credentials and the application couldn't anything else but return 401 again, because the principal is not passed through by Tomcat as the resource is not declared as protected in web.xml. What were the issues with RFC 2617? The fact that it wouldn't work for DIGEST authentication is not relevant. We're talking about a valid scenario for Basic authentication. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
