Currently if you invoke PUT or DELETE on the DefaultServlet with readOnly set to true it will return a 403. This implies that the client can reauthorize the request and try again. But there is nothing the user can do to actually invoke either of these two methods.
The proposed change is to return a 405 rather than the 403 since neither of these methods is allowed when the readOnly flag is set to true. markt-asf has a nice writeup in the following PR with more details https://github.com/apache/tomcat/pull/96 What I am looking for here is if there is consensus amongst the rest of the development team for this change. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org