DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=12428>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=12428 ------- Additional Comments From [EMAIL PROTECTED] 2007-06-02 01:08 ------- When the authentication fails the server can return a 401, because the spontaneously provided Authorization header is wrong (RFC 2617 section 1.2). Since the server didn't require authentication for the method, the User Agent would have volunteered it, perhaps trying to get in and call other methods for which authentication is required. After having received the 401, the User Agent can continue interacting with the server unauthenticated. In this scenario the server should always check a provided Authorization header, even if the method doesn't require authentication. Evaluating whether the current behaviour is compliant with the spec or not depends. The starting point is the specification of the HttpServletRequest.getUserPrincipal method. Looking at that alone makes the behaviour non-compliant. Including SRV.12.9 makes it more difficult. Does SRV.12.9 apply in this case? In don't think so, because it says nothing about spontaneous authentication, which is allowed. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
