https://issues.apache.org/bugzilla/show_bug.cgi?id=12428
--- Comment #31 from Werner Donn <werner.do...@re.be> 2011-04-02 04:00:55 EDT --- @Mark The relevant specs are crystal clear. If you think there is any room for interpretation then you should provide proof of how your interpretation can be constructed. At present we still don't know what that is. You wonder what a "non-protected" servlet should do when the provided credentials are wrong. That is simple, it should do nothing, because the container will have returned a 401, which it should always do when the credentials are wrong. That is because there is no response code for reporting wrong credentials. Where can there be interference? All involved parties, container and servlet, should comply with the specifications. When the container imposes a security constraint because it was declared in the application, the servlet won't see anything about it. @Chris You don't seem to understand the difference between declarative and programmatic protection. An alternative URL doesn't provide prgrammatic protection. Study the WebDAV ACL specification and you will see it is impossible to implement it without this bug being fixed. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org