DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=22617>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=22617 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From [EMAIL PROTECTED] 2005-04-15 09:19 ------- > Authentication is only required for protected resources and Tomcat will only > prompt for authentication when accessing a protected resource. This is wrong. The whole point is that Tomcat DOES NOT PROMPT when basic authentication is used. If the security module allows an unauthenticated user, you never get the opportunity to authenticate as someone different, because Tomcat never sends 401 to the browser. Tomcat finds that the resource I'm trying to access is protected. This is OK. But instead of sending a 401 and give me the opportunity to provide credentials, it obviously immediately tries to "authenticate as unauthenticated user". If this is successful, it simply continues with this identity and I never get a prompt. Acing like this, Tomcat is not consistent in its behaviour. Try form based authentication instead. If you use form based authentication, Tomcat ALWAYS shows the login form first, even if the security realm supports an unauthenticated identity. If form based authentication had been implemented just as basic authentication, Tomcat would find that the resource is protected, try to authenticate, find that the "unautheticated identity" works and continue with this identity, never showing the login form. But it does! The point is that basic authentication and form based authentication behave differently when the security realm supports an unauthenticated identity. Using form based authentication, you are prompted for credentials; using basic authentication, you are not prompted. You cannot derive from the specs which behaviour is correct, I agree with this. However, Tomcat should consistently stick to one of those possibilities and should not act differently depending on the authentication method chosen. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
