DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=12428>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=12428 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID ------- Additional Comments From [EMAIL PROTECTED] 2005-09-21 23:49 ------- The underlying issue here is how BASIC authentication works. With BASIC authentication, the user is required to authenticate with every request and the browser helpfully caches the user name and password and re-uses them with subsequent requests. The spec requires that authentication only takes place if a resource is protected. Therefore, for an unprotected resource no BASIC authentication takes place even if the browser sends the credentials. In turn, this means that getUserPrincipal() will return null since the user has not been authenticated. One work-around is to use FORM authentication. In this scheme, the user is authenticated once and the Principal added to the session. This authenticated Principal remains available whilst the session is valid regardless of whether an individual request requires authentication. I have considered modifying the BASIC authentication implementation so a user is always authenticated if the present credentials but: - this would violate the spec - the behaviour if the authentication fails is undefined (because the spec obviously doesn't define behaviour that violates the spec) Therefore I am going to resolve this as INVALID since any other behaviour is a spec violation. As a final comment I do not like that this means that application behaviour varies with the authentication scheme specified in web.xml but this is a direct side-effect of the differences in per-request and per-session authentication. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
