Tomcat 4.x has a problem -- it challenges for auth
prior to any redirects. This is wrong because it causes
most browsers to cache auth info for the entire domain
when hitting top-level directories.
For example:
WRONG way:
GET /foo -> 401
GET /foo with auth -> 301 to /foo/index.html
GET /foo/index.html with auth -> 200
GET /bar WITH auth .. (browser will send auth to entire doman!)
RIGHT way: (Apache being the best example)
GET /foo -> 301 to /foo/index.html
GET /foo/index.html -> 401
GET /foo/index.html with auth -> 200
GET /bar WITHOUT auth
It looks like this is difficult to fix since the
"is this a directory? Are there welcome files?" logic
needs to move up out of DefaultServlet to a location
in the request chain prior to the auth valve.
Any better ideas are welcome as I begin hacking..
Keith
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
