-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jess,
On 9/1/2011 7:06 PM, Jess Holle wrote: > So form-based authentication is an obnoxious mutt -- but a mutt > that everyone seems to have fallen in love with. > > This isn't Tomcat's fault, however, and Tomcat is doing the normal > thing by returning a 200 here. The servlet spec (section 13.6.3 "Form Based Authentication") has the whole process laid out, except that they don't say what the HTTP response code should be when a request for a protected resource arrives and the login form should be "sent to the client". Later, it says: " If authentication fails, the error page is returned using either a forward or a redirect, and the status code of the response is set to 200. " Ignoring the fact that you can't do a redirect using a 200 response, it's clear that there is no "unauthenticated" or "forbidden" response code to be used, here. Presumably, the decision to use response code 200 was drawn from this section as well as practical considerations (being able to prohibit the login form from being directly accessible to remote clients for instance) and past user input (I think Tomcat used to issue a redirect, but now does an internal forward and responds with 200). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5hTEwACgkQ9CaO5/Lv0PBpKACbB5A+XQ42NDT9gHSgR7jCDEAz 5i0An2JZMwf+jrrpwuQrk6AtDWbpOYpN =XYT8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
