DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=22617>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=22617 ------- Additional Comments From [EMAIL PROTECTED] 2005-04-28 11:15 ------- I think you are bluring the distinction between a user not being identified (yet) and thus being "null" and the user with name "". I admit that the latter is a very short username, but -- as you state -- this is what the browser-user has entered by simply hitting enter. In my opinion, user "" is no longer anonymous, it is simply a user with a very short name. Of course, a Realm implementation may take this as a shortcut for "anonymous" or "nobody", and assign the "unauthenticated identity", but it may as well require a password for this username. I still consider it an error that Tomcat calls the Realm implementation at all if authentication is BASIC and it has not received any authentication headers yet. It should simply have the browser prompt the user for credentials, just like form based authentication ALWAYS displays the form (and does not call the Realm implementation first with username being "null"). Of course, the Realm interface is an internal interface. But the point is that Tomcat invokes this interface differently depending on the authentication method used! The practical problem is that I actually do not supply the realm implementation, JBoss does. I simply supply a JAAS login module. And in a J2EE/JBoss context, I have to accept a user being "null" as the anonymous user, because this is what my J2EE clients use as credentials when trying to access anonymously (if I was to follow your line, a client that wanted to act with the unauthenticated identity would have to include the necesary code to set the username to "" -- I don't think this is reasonable). Now don't say "well this is a JBoss problem"; I strongly doubt that e.g. Geronimo uses username "" instead of user being "null" to represent an anonymous client. I still think a fix would be quite simple: if ((authentication == BASIC) AND (no authentication headers)) { "send 401 to browser" }. This would make the behaviour consistent with form based login (and Jetty and WebLogicServer, btw. -- not being able to derive the correct behaviour from the specifications, this may be a point). As a user, I can still hit the return key and if the Realm implementation allows anonymous access, it can assign the "unauthenticated identity" if username is "" and password is "" (as you have proposed the Realm implementation should). -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
