On Mon, Mar 01, 2004 at 12:02:49PM +0900, Kazuhito SUGURI wrote:
> Hi Max,
>
> In article <[EMAIL PROTECTED]>,
> Fri, 27 Feb 2004 11:33:33 +0200,
> Max Kutny <[EMAIL PROTECTED]> wrote:
> mkut> Kazuhito, could you make the default expectedPreAuthResponse to be
> mkut> HTTP_OK instad of HTTP_MOVED_TEMP?
>
> In article <[EMAIL PROTECTED]>,
> Fri, 27 Feb 2004 13:07:37 +0100,
> Christopher Lenz <[EMAIL PROTECTED]> wrote:
> cmlenz> Possibly stupid question: why don't we just check for any status code <
> cmlenz> 400?
>
> I would like to implement the logic, as Chris suggested,
> for pre-auth response stauts check.
Thanks a lot for accepting that. Actually, spec says that in the
pre-auth stage "the login form ... is sent to the client". But the Tomcat
developers decided to treat it as "the client is redirected to the login
form". I'd disagree on such treatment although it's arguably. So we
could check against either 200 or 302 in pre-auth case.
> What do you think about expectedAuthResponse?
> I'm not sure how Resin works.
For post-auth response it's not so trivial. There are two cases: success
authentication and failed authentication.
Success.
For this case the spec clearly states that the "client is redirected
to the resource". So the success authentication & authorization should be
checked against 302 code.
Failure.
For the failed authentication the 2.4 spec says:
"If the authentication fails, the error page is returned using either a
forward or a redirect, and the status code of the response is set to 200".
We have to options here:
1) the container implements internal forward so the response of failure is
200 and it could be easily distinguished from success authentication
(in which case the response is 302)
2) the container implements redirect as in success authentication case.
In this case the only chance to to check the failure is to analyse
resulting page. This complicates things a lot and I think it not even
worth to implement it.
What's interesting is that 2.3 spec says that in case of failure the
response should be set to 403. Why did the choose to change it is beyond
me.
Finalizing the said above the success authentication could be checked
against 302 (as it's done right now). And resin 2.x implements exactly
this behavior. So there is no need to change anything.
Thanks.
-- Max
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
