If a security-constraint is defined protecting a certain uri but no
login-config is defined in web.xml then upon accessing the uri, tomcat
respond with the following error:
HTTP Status 500 - Configuration error: Cannot perform access control
without an authenticated principal
Is this the correct behavior? AFAIK the servlet 2.4 specification
allows a web.xml with a security-constraint without a login-config
(which makes sense in some situations).
Questions:
Since there is no way to autenticate a user I would think that one
of the following response would be more correct:
1) 403 (Forbidden) - Since no authentication can be performed but
the web area is protected this is the obvious choice.
2) 401 (Unauthorized) Alternatively sending a futile auth required
response, making the client/server to go into an authentication
forever-loop.
If sending 500 Configure error after all *is* what you guys think is
the correct thing to do shouldn't this instead be flagged when the
web.xml is parsed at startup and tomcat refuse to start?
--
Jan-Henrik Haukeland
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
