https://issues.apache.org/bugzilla/show_bug.cgi?id=56555
--- Comment #5 from Mark Thomas <ma...@apache.org> --- Having re-read RFC2616 the use of a 400 response code in this case looks wrong. 400 is meant to be used to indicate a syntax error in the request which is why Tomcat closes the connection. Tomcat can not be sure that it has correctly identified the end of the faulty request and continuing to process the connection could lead to security problems. The correct response code for invalid credentials should be 401. I do not recall anyone raising this as an issue previously. Tomcat has no way of telling which component set the 400 response status and therefore no way of distinguishing between a correct use of a 400 where there has been a syntax error and the connection needs to be closed and any other use of a 400 where it is safe to leave the connection open. The presense (or not) of the connection header may provide a hint but it is not reliable indicator. You are not going to like it but the only safe option for Tomcat with a 400 response is to close the connection (and yes we need to up the connection header handling when this happens). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
