You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/02/14 05:34:11 UTC
DO NOT REPLY [Bug 6446] -
Access denied instead of new challenge when authentication fails
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446
Access denied instead of new challenge when authentication fails
craig.mcclanahan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From craig.mcclanahan@sun.com 2002-02-14 04:34 -------
"Accurate" it may or may not be, but it's not correct :->
The lifetime of an authentication is dependent on the login method used. For
example, for form-based login you are authenticated through the duration of the
current session. Therefore, a 403 is the right answer -- if the user should be
able to access both sets of protected resources, he or she should be granted
both roles in the first place.
JSR 115 or 154 may or may not change this for the future (although I doubt it
from the discussions so far).
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>