You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by alexander dosher <al...@pacbell.net> on 2005/02/24 19:58:12 UTC

Tomcat serves unauthenticated 304s. yuck.

Hi all,

I have what is mainly an IE6 problem, but Tomcat is contributing by 
serving up 304s to requests whose authentication (FORM or BASIC) has 
expired.  This seems to me to be in violation of the HTTP/1.1 spec:

"If the client has performed a conditional GET request /and access is 
allowed/, but the document has not been modified, the server SHOULD 
respond with this status code."

Specifically, the problem is arising because Tomcat is serving a 304 for 
the *page*, but 403s for the page's linked stylesheet & javascript files 
(in a separate webapp but under the same access control, & single-signon 
turned on), which causes ugliness. This is almost certainly IE's fault, 
for issuing different sorts of GETs, but Tomcat *still* (IMHO) shouldn't 
be doing *anything* with an unauthenticated request for a protected 
resource other than trying to authenticate the user.

B*g, or user error?  Comments appreciated,

alex.


-- 
  ___________________________________________________________________
| Alexander Dosher...Proletarian Intellectual, American Art Fascism |
| S.J. Earthquakes...Chelsea FC...Ukraine...Neue Slowenische Kunst  |
|                                                                   |
| "There was port later."   - Arthur Machen, _The Bright Boy_       |
|___________________________________________________________________|



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org