the server (i.e. servlet) spec
that's being violated here, IMO, not HTTP.
-Mark
>
> From: alexander dosher <[EMAIL PROTECTED]>
> Date: 2005/03/28 Mon PM 01:47:34 EST
> To: Tomcat Users List
> Subject: Re: unauthenticated 304s - final try
>
> Mark Leone sez:
>
Mark Leone sez:
It's still worth investigating IMO. One could argue that returning to
an unauthorized client even the info that a resource has not changed
since an authenticated request was returned successfully violates
the authentication protection.
that's pretty much what *i* thought, anyway.
It seems to me that the HTTP spec is under-specified on this. I agree
that it's reasonable to assume that "if access is NOT allowed, and the
document has not been modified, the server MUST NOT respond with this
status code." However, what I just typed in quotes does not appear in
the spec. It s
before i post this as a bug & possibly make a complete idiot of myself,
please have a look...
Tomcat 5.5.7 on Win2k, MSIE6
1. load an authenticated page (JDBCRealm or DataSourceRealm w/SHA, FORM
login-config, SingleSignOn valve)
2. wait until authentication timeout OR close browser window & reopen
