On Mon, Dec 4, 2017 at 9:22 PM, Mark Thomas <ma...@apache.org> wrote:

> On 04/12/17 19:50, Mark Thomas wrote:
> > On 04/12/17 18:03, Rémy Maucherat wrote:
> <snip/>
> >> Another "feature" that looks almost impossible to implement I guess.
> >
> > Hmm. I only read the first part of the Javadoc. I'm not really sure what
> > the second part is getting at with "... a container generated token...".
> > I'll have a look back at the archive to see if there was any EG
> > discussion on this point.
> That second part was part of the original proposal and there was never
> any discussion about what it actually meant.
> Thinking about it, I think we could do the following and be spec compliant:
> - Set a header e.g. "Authorization: x-push"
> - Copy the authenticated Principal from the base request to the
>   pushTarget
> That meets the requirements:
> - "an Authorization header will be set with a container generated token"
> - "result in equivalent Authorization for the pushed request"
> The spec does imply that it is the token that results in authorization
> but it doesn't actually mandate it. I think there is enough flexibility
> in the wording that the above would be OK.
> Thoguhts?
> Indeed, it doesn't say that it has to be an autorization header that would
normally work, only a token.


Reply via email to