Leo Donahue - RDSA IT wrote:
-----Original Message-----
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Friday, November 30, 2012 8:20 AM
To: Tomcat Users List
Subject: Re: Context Path for a subdirectory
Leo Donahue - RDSA IT wrote:
If I can tag another question on the end of this thread:
The Remote Address Filter has an option to set the denyStatus from 403 to
404, or whatever. In general, I'm guessing it's better to respond that a
restricted resource is not found, rather than respond that is it there but
forbidden?
Purely personal opinion : by doing this, you "kind of" violate the spirit of
the HTTP
specification, and you create some confusion at the technical level.
And, essentially, you are lying to the client.
So, in general, it is not "better".
But hey, it's your server, so you're free to return whatever you believe is
most appropriate.
Within limits though. For example, if somewhere you provide a link to that
section for
some people, but when they click on it, they get a "not found", they may think
that your
application isn't working, or that your documentation is incorrect. While if
they get a
"forbidden", they may realise that they need to ask for a permission.
Why is denyStatus an option? Why would someone use it?
Well, ok, let me revise my earlier and purely personal opinion, as per RFC 2616
:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not
help and the request SHOULD NOT be repeated. If the request method was not HEAD and the
server wishes to make public why the request has not been fulfilled, it SHOULD describe
the reason for the refusal in the entity. If the server does not wish to make this
information available to the client, the status code 404 (Not Found) can be used instead.
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of
whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used
if the server knows, through some internally configurable mechanism, that an old resource
is permanently unavailable and has no forwarding address. This status code is commonly
used when the server does not wish to reveal exactly why the request has been refused, or
when no other response is applicable.
So it does say that if you want, you /can/ replace a 403 by a 404.
You are thus forgiven.
And that is probably the reason why the denyStatus option was provided : the Tomcat
developers did read the HTTP RFC. Clever guys, he ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
