On 04/12/17 19:50, Mark Thomas wrote:
> On 04/12/17 18:03, Rémy Maucherat wrote:


>> Another "feature" that looks almost impossible to implement I guess.
> Hmm. I only read the first part of the Javadoc. I'm not really sure what
> the second part is getting at with "... a container generated token...".
> I'll have a look back at the archive to see if there was any EG
> discussion on this point.

That second part was part of the original proposal and there was never
any discussion about what it actually meant.

Thinking about it, I think we could do the following and be spec compliant:

- Set a header e.g. "Authorization: x-push"
- Copy the authenticated Principal from the base request to the

That meets the requirements:
- "an Authorization header will be set with a container generated token"
- "result in equivalent Authorization for the pushed request"

The spec does imply that it is the token that results in authorization
but it doesn't actually mandate it. I think there is enough flexibility
in the wording that the above would be OK.



To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to