You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Ken Dombeck <kd...@gmail.com> on 2017/12/15 21:20:47 UTC

Change HTTP status code for DefaultServlet with readOnly set to true

Currently if you invoke PUT or DELETE on the DefaultServlet with
readOnly set to true it will return a 403. This implies that the
client can reauthorize the request and try again. But there is nothing
the user can do to actually invoke either of these two methods.

The proposed change is to return a 405 rather than the 403 since
neither of these methods is allowed when the readOnly flag is set to
true.

markt-asf has a nice writeup in the following PR with more details
https://github.com/apache/tomcat/pull/96

What I am looking for here is if there is consensus amongst the rest
of the development team for this change.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org