2011/9/2 Mabry Tyson <ty...@ai.sri.com>: > Summary: When requiring form authentication, Tomcat responds to an > unauthenticated GET request with a HTTP status code of 200 (OK) and the > login page. > I believe that to be in violation of the HTTP standards. > > The problem: Software makes a GET request to a web server. It gets back a > 200 status code. By RFC 2616, that code indicates "the request has > succeeded". > The software then takes the resulting page as the successful response to the > GET request. However, in some cases this response is NOT a successful > response > but is instead a login form. > > By using a 200 status code, Tomcat is misrepresenting that the login form is > the response to the request. My believe is a 4xx code (client error) is > appropriate, or possibly a 3xx code (Redirection) might be appropriate. > Unfortunately, the RFC indicates that a 401 (Unauthorized) response MUST > have a header that is only appropriate for basic or digest authentication. > So a status code of 401 is not legal in this situation.
neither is 403 or 404. Plus add to that that certain web browser (IE) has a habit to display his own error page instead on the one provided by the server. The response code 200 tells that server is returning some valid data (a HTML page) that has to be displayed to the user. There might be other headers along that (e.g. to forbid caching). What is your software trying to do? It is trying to crawl the web site? Maybe you can detect the presence of login form on the HTML page that is returned to you? > P.S. For anyone maintaining the examples, shouldn't vendor examples > demonstrate the best practices? I'd suggest you indicate the Content-Type > and the charset. The best way to make examples better is to prepare and propose patches (through Bugzilla). Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
