https://issues.apache.org/bugzilla/show_bug.cgi?id=56555
--- Comment #7 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Mark Thomas from comment #5) > The correct response code for invalid credentials should be 401. Use of 401 is only appropriate when using WWW-Authenticate, as RFC2616 says 401 RFC-MUST include a WWW-Authenticate header. I don't think this happens with OAuth. If it's just a lack of (other) credentials, I think 403 is more appropriate. > Tomcat has no way of telling which component set the 400 response status and > therefore no way of distinguishing between a correct use of a 400 where > there has been a syntax error and the connection needs to be closed and any > other use of a 400 where it is safe to leave the connection open. The > presense (or not) of the connection header may provide a hint but it is not > reliable indicator. > > You are not going to like it but the only safe option for Tomcat with a 400 > response is to close the connection (and yes we need to up the connection > header handling when this happens). What about using some kind of Tomcat-specific request attribute that says "Don't close this connection; I know what I'm doing"? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org