DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446 Access denied instead of new challenge when authentication fails [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From [EMAIL PROTECTED] 2002-02-14 04:34 ------- "Accurate" it may or may not be, but it's not correct :-> The lifetime of an authentication is dependent on the login method used. For example, for form-based login you are authenticated through the duration of the current session. Therefore, a 403 is the right answer -- if the user should be able to access both sets of protected resources, he or she should be granted both roles in the first place. JSR 115 or 154 may or may not change this for the future (although I doubt it from the discussions so far). -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
