Bill Barker wrote:
I'm hardly a 4.x expert, but this looks like it will solve the major
problem.
This fix will still send an Auth to /myapp if you first request
/myapp/protected, but that shouldn't be too much of a problem.
In 5.0, I think that the spec is going to eventually require
Tomcat 4.x has a problem -- it challenges for auth
prior to any redirects. This is wrong because it causes
most browsers to cache auth info for the entire domain
when hitting top-level directories.
For example:
WRONG way:
GET /foo - 401
GET /foo with auth
| To: [EMAIL PROTECTED]
| Subject: Tomcat 4.x auth issue
|
|
| Tomcat 4.x has a problem -- it challenges for auth
| prior to any redirects. This is wrong because it causes
| most browsers to cache auth info for the entire domain
| when hitting top-level directories.
--
To unsubscribe, e-mail: mailto
to the Mapper however.
- Original Message -
From: Keith Wannamaker [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Sent: Wednesday, July 03, 2002 8:55 PM
Subject: RE: Tomcat 4.x auth issue
The bugfix turned out to be a one-liner:
Index: SecurityConstraint.java