DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=34560>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34560 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | ------- Additional Comments From [EMAIL PROTECTED] 2005-04-23 04:56 ------- In order to respect the authentication spec rfc2616-14.8, although the authorization is made by a form and not a header, the FormAuthenticator valve was capable of emulating the proper caching constraints. The code is manipulating the correct headers but under innacurate circumstances. The problem is not related to the <user-data-constraint><transport-guarantee> tags. It has to do with the abscence of <auth-constraint><role-name> tags. The FormAuthenticator valve is visited for mappings that do not require authentication. That alone is questionnable, but assuming the valve may perform other contract, I supposed this visit is unavoidable. However, within the mandate of performing authentication based operations, the valve should restrict itself to mappings that strictly have at least 1 role. Like I said, every tomcat application out there is silently suffering from non-cached static ressources because: 1-the valve intercepts EVERY request, even if not matching the url pattern AND 2-the valve do not recognize the abscence of authentication constraints. Thanks for reconsidering. PS:...especially since the fix is trivial: (skip if constraints==null || constraints.length=0 || all of constraints[i].getAuthConstraint()==false) PS:You might want to consult http://www.mnot.net/cache_docs/ and other doc like the rfc 2616 http://www.w3.org/Protocols/rfc2616/rfc2616.html http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8 -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
