DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=34560>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34560 ------- Additional Comments From [EMAIL PROTECTED] 2005-04-24 18:26 ------- Thank you for your dedication and research. I read that servlet spec 12.8. It is very clear to me that the transport constraint is orthogonal to the authentication constraint. That is, a 'confidential' transport may not obviously require authentication. That is especially true for web site that are fully https to avoid mixed secure/unsecure content warnings on browsers, while allowing decent caching for ressources that do not need authentication/autorization, like js, css, gifs... I'm not suggesting to change any of the current logic surrounding confidential/integral/none. I'm highlighting that the 'de-caching' headers must only be applied when the authentication is required, which has nothing to do with transport contraints. Meanwhile, the http spec is stating that autorization must be challenged everytime and resources, if cached, cannot bypass the authentication. It doesn't mention anything specific to the ssl nature (or else) of the lower layer transporting http content. Thanks again. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
