If a security-constraint is defined protecting a certain uri but no
login-config is defined in web.xml then upon accessing the uri, tomcat
respond with the following error:

HTTP Status 500 - Configuration error: Cannot perform access control
without an authenticated principal

Is this the correct behavior? AFAIK the servlet 2.4 specification
allows a web.xml with a security-constraint without a login-config
(which makes sense in some situations).

Questions:

  Since there is no way to autenticate a user I would think that one
  of the following response would be more correct:

  1) 403 (Forbidden) - Since no authentication can be performed but
     the web area is protected this is the obvious choice.

  2) 401 (Unauthorized) Alternatively sending a futile auth required
     response, making the client/server to go into an authentication
     forever-loop.

If sending 500 Configure error after all *is* what you guys think is
the correct thing to do shouldn't this instead be flagged when the
web.xml is parsed at startup and tomcat refuse to start?

-- 
Jan-Henrik Haukeland

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to