DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23192 getRemoteUser() returns null with Authorization header [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From [EMAIL PROTECTED] 2003-09-17 18:42 ------- I have had a look at the spec at I think what you are trying to do runs contrary to the concept of programmatic security as described in the spec. The relevant part of the spec is: "SRV.12.3 Programmatic Security Programmatic security is used by security aware applications when declarative security alone is not sufficient to express the security model of the application. Programmatic security consists of the following methods of the HttpServletRequest interface: • getRemoteUser • isUserInRole • getUserPrincipal" My understanding of this is that using setStatus() to force the sending of an authentication header is not considered a valid part of programmatic security. I am therefore marking this bug as INVALID. However, if you have a security model you can't implement using an appropriate combination declarative and programmatic security please reopen this bug, provide a description of your security model and I will be happy to take another look at this. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
