2012/9/7 Shanti Suresh <sha...@umich.edu>: > Hi Christopher, Hi Konstantin, > > On Fri, Sep 7, 2012 at 1:54 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> >> I personally think that's a bad idea: just set some simple username >> and password and have your client use it: any decent command-line HTTP >> client should support HTTP BASIC authentication. >> > > Sure. I can do that. It just leaves the set operations vulnerable too > though. I can use digested passwords too, but still my scripts will need > to be hard-coded with the password. > > >> >> That's good. >> >> Sure :-) Thanks. > > >> >> Log it as an enhancement request in Bugzilla. I proposed this kind of >> thing a few months ago though I can't seem to find the thread at the >> moment. It was mildly rejected due to lack of interest, but but it >> seems we have a real use-case where a user wants this capability. >> > > Oh, most certainly, there is a definite use-case for this feature. And > others will use it heavily once you have the capability. It just doesn't > seem like a good plan to have the get and set secured the same way. >
With "get" you can view someone's password. With "set" you can change it, or change assigned roles. (with certain Realm implementations). There is not much difference. I think allowing generic "get" or generic "set" is a bad idea. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
