https://issues.apache.org/bugzilla/show_bug.cgi?id=12428
--- Comment #25 from Mark Thomas <ma...@apache.org> 2010-12-16 16:09:04 EST --- This is a grey area of the specification. My reading of the various specs remains that Tomcat is spec compliant. I have added this to my list of things to ask the Servlet EG to clarify in 3.next I believe that a web application's fundamental behaviour should not change just by changing the authentication mechanism. That DIGEST can't work with pre-emptive authentication is a significant concern. The scope of the feature is also important. This is do-able as previously described with container managed authentication. Once the application starts to get involved, things get more complex. However there is a way to do this in Servlet 3.0. The application can call request.authenticate() but it needs to make sure it checks the return code and stops any 401 going back to the client. The application will also need to handle any IllegalStateExcpetions if the response has already been committed. The RFC2617 issue was mainly that a failed authentication SHOULD result in a 401 response and this feature requires that there is no 401 else the application could end up prevent a user from accessing a page for which no authentication is required. The SHOULD does give some leeway (it isn't a MUST) but I'm not convinced there is a good enough reason to ignore the spec here. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
