You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Hood, Earl" <eh...@ti.com> on 2001/07/30 21:38:37 UTC
Possible ill-advised default handling of 403
I just noticed that if I set a 403 error status in a servlet, Tomcat
automatically adds the following HTML body with the error:
<h1>SSL required to access this page</H1>
Ugh.
I looked at the source code (3.2.2 of Tomcat) and notice that if
no 403 error-code handler is registered, it defaults to SSLRequiredHandler.
IMO, this is a bad default since SSL access is only one of many possible
reasons that access to a resource is forbidden.
To me, there should be no default, or if there is one, it should be a
canned response like "Access Forbidden".
So why was this done? A hack for SSL support? And when will it be changed.
--ewh
--
Earl W. Hood
Texas Instruments
ehood@ti.com
972-917-1695