On 04/12/17 19:50, Mark Thomas wrote: > On 04/12/17 18:03, Rémy Maucherat wrote:
<snip/> >> Another "feature" that looks almost impossible to implement I guess. > > Hmm. I only read the first part of the Javadoc. I'm not really sure what > the second part is getting at with "... a container generated token...". > I'll have a look back at the archive to see if there was any EG > discussion on this point. That second part was part of the original proposal and there was never any discussion about what it actually meant. Thinking about it, I think we could do the following and be spec compliant: - Set a header e.g. "Authorization: x-push" - Copy the authenticated Principal from the base request to the pushTarget That meets the requirements: - "an Authorization header will be set with a container generated token" - "result in equivalent Authorization for the pushed request" The spec does imply that it is the token that results in authorization but it doesn't actually mandate it. I think there is enough flexibility in the wording that the above would be OK. Thoguhts? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org