You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sim IJskes <si...@nyx.xs4all.nl> on 2000/04/06 11:57:29 UTC
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
"Craig R. McClanahan" wrote:
> * Comment out the current code that implements
> FORM-based authentication, so that no one will
> run into a partially complete implementation. This
> will go on the list of things for the next release.
Please don't do this! Pretty please?
Gr. Sim
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Sim IJskes <si...@nyx.xs4all.nl>.
Jason Hunter wrote:
> How's this for a solution:
>
> Remove the hook that acts on the FORM tag and make it act on
> EXPERIMENTAL_FORM. Let FORM be unsupported. We'll allow a FORM
> entry when we behave according to the spec. Put in the release notes
> that experimenters can use EXPERIMENTAL_FORM. This solution should
> require minimal code changes, accomplishes the main things everyone
> wants, and brings us closer to the spirit of the spec.
Perfect idea!
Gr. Sim
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Jason Hunter <jh...@acm.org>.
Craig R. McClanahan wrote:
>
> Sim IJskes wrote:
>
> > "Craig R. McClanahan" wrote:
> >
> > > * Comment out the current code that implements
> > > FORM-based authentication, so that no one will
> > > run into a partially complete implementation. This
> > > will go on the list of things for the next release.
> >
> > Please don't do this! Pretty please?
> >
>
> OK, so who is volunteering to sign up for the bug reports
> we're going to get on this topic -- people are going to try it and
> find out that it doesn't work correctly (as well as not meeting the
> spec) -- in spite of any dire warnings to the contrary in the
> release notes.
Yep, nobody reads release notes.
> Personally, I'm much more comfortable
> with "sorry, it's not supported" than I am with "it's kinda, sorta
> there, but it's broken" which is the current state of the code.
I agree with Craig.
Poorly-implemented security is *not* acceptable in my book. The
fact that the project is open source doesn't change what justifies
release quality. I don't think a commercial entity should ship
partially-working security. Why should we?
Imagine we had no form-based security checked in. Imagine someone
proposed we do a half implementation before release. Would we allow
that?
How's this for a solution:
Remove the hook that acts on the FORM tag and make it act on
EXPERIMENTAL_FORM. Let FORM be unsupported. We'll allow a FORM
entry when we behave according to the spec. Put in the release notes
that experimenters can use EXPERIMENTAL_FORM. This solution should
require minimal code changes, accomplishes the main things everyone
wants, and brings us closer to the spirit of the spec.
-jh-
P.S. Cross-posting on tomcat-dev where this seems to belong. Please
send comments on my proposal to that list alone.
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Jason Hunter <jh...@acm.org>.
Craig R. McClanahan wrote:
>
> Sim IJskes wrote:
>
> > "Craig R. McClanahan" wrote:
> >
> > > * Comment out the current code that implements
> > > FORM-based authentication, so that no one will
> > > run into a partially complete implementation. This
> > > will go on the list of things for the next release.
> >
> > Please don't do this! Pretty please?
> >
>
> OK, so who is volunteering to sign up for the bug reports
> we're going to get on this topic -- people are going to try it and
> find out that it doesn't work correctly (as well as not meeting the
> spec) -- in spite of any dire warnings to the contrary in the
> release notes.
Yep, nobody reads release notes.
> Personally, I'm much more comfortable
> with "sorry, it's not supported" than I am with "it's kinda, sorta
> there, but it's broken" which is the current state of the code.
I agree with Craig.
Poorly-implemented security is *not* acceptable in my book. The
fact that the project is open source doesn't change what justifies
release quality. I don't think a commercial entity should ship
partially-working security. Why should we?
Imagine we had no form-based security checked in. Imagine someone
proposed we do a half implementation before release. Would we allow
that?
How's this for a solution:
Remove the hook that acts on the FORM tag and make it act on
EXPERIMENTAL_FORM. Let FORM be unsupported. We'll allow a FORM
entry when we behave according to the spec. Put in the release notes
that experimenters can use EXPERIMENTAL_FORM. This solution should
require minimal code changes, accomplishes the main things everyone
wants, and brings us closer to the spirit of the spec.
-jh-
P.S. Cross-posting on tomcat-dev where this seems to belong. Please
send comments on my proposal to that list alone.
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Sim IJskes wrote:
> "Craig R. McClanahan" wrote:
>
> > * Comment out the current code that implements
> > FORM-based authentication, so that no one will
> > run into a partially complete implementation. This
> > will go on the list of things for the next release.
>
> Please don't do this! Pretty please?
>
OK, so who is volunteering to sign up for the bug reports we're going to get
on this topic -- people are going to try it and find out that it doesn't work
correctly (as well as not meeting the spec) -- in spite of any dire warnings
to the contrary in the release notes. Personally, I'm much more comfortable
with "sorry, it's not supported" than I am with "it's kinda, sorta there, but
it's broken" which is the current state of the code.
>
> Gr. Sim
>
Craig
>
> --------------------------------------------------------------------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org