You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Hood, Earl" <eh...@ti.com> on 2001/07/30 21:38:37 UTC

Possible ill-advised default handling of 403

I just noticed that if I set a 403 error status in a servlet, Tomcat
automatically adds the following HTML body with the error:

	<h1>SSL required to access this page</H1>

Ugh.

I looked at the source code (3.2.2 of Tomcat) and notice that if
no 403 error-code handler is registered, it defaults to SSLRequiredHandler.
IMO, this is a bad default since SSL access is only one of many possible
reasons that access to a resource is forbidden.

To me, there should be no default, or if there is one, it should be a
canned response like "Access Forbidden".

So why was this done?  A hack for SSL support?  And when will it be changed.

--ewh

--
Earl W. Hood
Texas Instruments
ehood@ti.com
972-917-1695