DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=22617>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=22617 ------- Additional Comments From [EMAIL PROTECTED] 2005-04-27 23:59 ------- I have done some testing with the latest code from CVS but the behaviour should be the same with 4.1.24 The key is how your realm authenticates when username=null and when username="" username=null when there are no authentication headers username="" when there are headers but the user just hit enter on the BASIC auth dialog I have tested this with the memory realm with entries in tomcat-users.xml of the form: <user username="" password="" roles="bug22617"/> <user username="tomcat" password="tomcat" roles="tomcat"/> and web.xml entries that look like: <security-constraint> <display-name>Bug 22617</display-name> <web-resource-collection> <web-resource-name>Bug 22617</web-resource-name> <url-pattern>/bug22617/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>bug22617</role-name> <role-name>tomcat</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> With this configuration I always get prompted for a user name and password and just pressing enter or using tomcat/tomact allows me to see the page. Based on this, I am pretty sure you need to change your Realm implementation so that username=null always fails authentication. Given that Realm is an internal Tomcat interface, I don't see this as being an unreasonable requirement to be placed on custom Realm implementations. I agree that the behaviour is inconsistent if the Realm treats username=null and username="" as equivalent. However, I believe such behaviour in a realm is not correct. I'll leave this open for now until you respond, but I am minded to close this as invalid. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]