You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2021/08/10 17:29:54 UTC

[GitHub] [tomcat] rrodewald opened a new pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

rrodewald opened a new pull request #444:
URL: https://github.com/apache/tomcat/pull/444


   The main purpose of the proposed refactoring is to give an individual `Authenticator` the possibility to decide if preemptive authentication is possible (e.g. if a completely different header is used for authentication).
   
   In addition it yields cleaner code as the certificate handling code and the header name for basic, digest and spnego auth can now be moved to the relevant `Authenticator`s and does not pollute the `AuthenicatorBase`. `FormAuthenticator` and `NonLoginAuthenticator` don't need to override `isPreemptiveAuthRequest()` as preemptive is not supported/needed.
   
   Main changes:
   - new protected method isPreemptiveAuthRequest() in AuthenticatorBase
   which is overridden in some authenticators
   - moved getRequestCertificates() from AuthenticatorBase to
   SSLAuthenticator


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687513716



##########
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##########
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
     }
 
     @Override
-    protected boolean isPreemptiveAuthRequest(Request request) {
+    protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
       RFC 8466 is relatively clear about client certs sent to the server:
   ```
   4.4.2.  Certificate
   [...]
   
      The client MUST send a Certificate message if and only if the server
      has requested client authentication via a CertificateRequest message
      (Section 4.3.2).
   ```
   So while it may be technically possible to start by sending client certificates it is definitely not supported by the spec. I would opt for deactivation of this "feature".




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686294855



##########
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##########
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
         return HttpServletRequest.BASIC_AUTH;
     }
 
+    @Override
+    protected boolean isPreemptiveAuthRequest(Request request) {
+        return request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;

Review comment:
       Renamed method `isPreemptiveAuthRequest()` to `isPreemptiveAuthPossible()`




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687092579



##########
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##########
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
     }
 
     @Override
-    protected boolean isPreemptiveAuthRequest(Request request) {
+    protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
       I have just read RFC 5246 and RFC 8466 and there is no single definition of a preemptive Client Cert auth. So the server has to send `CertificateRequest` first. Since HTTP authz checks come after TLS, I fail to understand the previous code. Maybe @markt-asf can enlighted us.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686188244



##########
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##########
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
         return HttpServletRequest.BASIC_AUTH;
     }
 
+    @Override
+    protected boolean isPreemptiveAuthRequest(Request request) {
+        return request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;

Review comment:
       I don't consider this to be preemptive authentication. It says nothing that the use has not been challenged.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] markt-asf commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

markt-asf commented on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-900303347


   Preemptive authentication for TLS needs to be retained. There are a few edge cases where it still has an effect. For example when `certificateVerification="optional"` is used.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686206255



##########
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##########
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
         return HttpServletRequest.BASIC_AUTH;
     }
 
+    @Override
+    protected boolean isPreemptiveAuthRequest(Request request) {
+        return request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;

Review comment:
       It's the way that this method is called from `AuthenticatorBase` that makes it a question for preemptive. The call is combined with a check of `Context.getPreemptiveAuthentication()` there. Any suggestion for a better name? How about `checkPreemptiveAuthRequirements()` or `isPreemptiveAuthPossible()`?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] markt-asf commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

markt-asf commented on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-900362561


   Applied manually so I could:
   - add a change log entry
   - tweak the code formatting
   - retain SSL preemptive auth


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

michael-o commented on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-897492778


   One more nit: I think the check in the header-based authenticators is too generic. Shouldn't they check for a value for their auth scheme only? Basic for `Basic <value>`, etc.?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687520920



##########
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##########
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
     }
 
     @Override
-    protected boolean isPreemptiveAuthRequest(Request request) {
+    protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
       Exactly, preemptive is forbidden/does not exist. Make it false/remove it.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] markt-asf closed pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

markt-asf closed pull request #444:
URL: https://github.com/apache/tomcat/pull/444


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686570618



##########
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##########
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
     }
 
     @Override
-    protected boolean isPreemptiveAuthRequest(Request request) {
+    protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
       I wonder whether TLS allows preemptive auth at all.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

michael-o commented on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-897565545


   This needs to analyzed whether the tests are invalid or not.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686228585



##########
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##########
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
         return HttpServletRequest.BASIC_AUTH;
     }
 
+    @Override
+    protected boolean isPreemptiveAuthRequest(Request request) {
+        return request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;

Review comment:
       I prefer the latter.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rrodewald edited a comment on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

rrodewald edited a comment on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-897549391


   The removal of the preemptive capability of the `SSLAuthenticator` makes multiple tests fail:
   ```
       [junit] Test org.apache.catalina.valves.rewrite.TestResolverSSL FAILED
       [junit] Test org.apache.tomcat.util.net.TestClientCertTls13 FAILED
       [junit] Test org.apache.tomcat.util.net.TestClientCert FAILED
       [junit] Test org.apache.tomcat.util.net.TestCustomSsl FAILED
   ```
   Before I change all these tests I'd like to confirm that it is worth it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687058556



##########
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##########
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
     }
 
     @Override
-    protected boolean isPreemptiveAuthRequest(Request request) {
+    protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
       I'm not sure either. Browsers definitely want a challenge first. I just tried to mimic the current behaviour as close as possible - the code is unchanged from what was in `AuthenticatorBase` before.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

rrodewald commented on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-897703572


   Will have to look at that in detail, which will take some time. I have to postpone this for 2 weeks because I am on vacation.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

michael-o commented on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-900359300


   > 
   > 
   > Preemptive authentication for TLS needs to be retained. There are a few edge cases where it still has an effect. For example when `certificateVerification="optional"` is used.
   
   Can you explain how?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686206255



##########
File path: java/org/apache/catalina/authenticator/BasicAuthenticator.java
##########
@@ -132,6 +132,10 @@ protected String getAuthMethod() {
         return HttpServletRequest.BASIC_AUTH;
     }
 
+    @Override
+    protected boolean isPreemptiveAuthRequest(Request request) {
+        return request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;

Review comment:
       It's the way that this method is called from `AuthenticatorBase` that makes it a question for preemptive. The call is combined with a check of `Context.getPreemptiveAuthentication()` there. Any suggestion for a better name? How about `checkPreemptiveAuthRequirements()`?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

michael-o commented on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-897500252


   > 
   > 
   > That's a good point IMHO. Now that the check is in the individual `Authenticator`s it can easily be made more specific. I'm not too familiar with Digest and SPNEGO but I'll try.
   
   With SPNEGO is like with Basic: Base64 token.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

rrodewald commented on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-897549391


   The removal of the preemptive capability of the `SSLAuthenticator` makes multiple tests fail:
   ```
       [junit] Test org.apache.catalina.valves.rewrite.TestResolverSSL FAILED
       [junit] Test org.apache.tomcat.util.net.TestClientCertTls13 FAILED
       [junit] Test org.apache.tomcat.util.net.TestClientCert FAILED
       [junit] Test org.apache.tomcat.util.net.TestCustomSsl FAILED
       [junit] Test org.apache.catalina.valves.rewrite.TestResolverSSL FAILED
       [junit] Test org.apache.tomcat.util.net.TestClientCertTls13 FAILED
       [junit] Test org.apache.tomcat.util.net.TestClientCert FAILED
       [junit] Test org.apache.tomcat.util.net.TestCustomSsl FAILED
       [junit] Test org.apache.catalina.valves.rewrite.TestResolverSSL FAILED
       [junit] Test org.apache.tomcat.util.net.TestClientCertTls13 FAILED
   ```
   Before I change all these tests I'd like to confirm that it is worth it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

Posted by GitBox <gi...@apache.org>.

rrodewald commented on pull request #444:
URL: https://github.com/apache/tomcat/pull/444#issuecomment-897494990


   That's a good point IMHO. Now that the check is in the individual `Authenticator`s it can easily be made more specific. I'm not too familiar with Digest and SPNEGO but I'll try.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org