You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/02/14 05:34:11 UTC

DO NOT REPLY [Bug 6446] - Access denied instead of new challenge when authentication fails

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446

Access denied instead of new challenge when authentication fails

craig.mcclanahan@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX



------- Additional Comments From craig.mcclanahan@sun.com  2002-02-14 04:34 -------
"Accurate" it may or may not be, but it's not correct :->

The lifetime of an authentication is dependent on the login method used.  For 
example, for form-based login you are authenticated through the duration of the 
current session.  Therefore, a 403 is the right answer -- if the user should be 
able to access both sets of protected resources, he or she should be granted 
both roles in the first place.

JSR 115 or 154 may or may not change this for the future (although I doubt it 
from the discussions so far).

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>