You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/11/16 19:22:13 UTC

DO NOT REPLY [Bug 14616] New: - Redirects should be issued prior to authentication challenges

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14616>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14616

Redirects should be issued prior to authentication challenges

           Summary: Redirects should be issued prior to authentication
                    challenges
           Product: Tomcat 4
           Version: 4.0.6 Final
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: Keith@Apache.org


4.0.6 exhibits this wrong behavior:
 GET /foo                       ->  401
 GET /foo with auth             ->  301 to /foo/
 GET /foo/ with auth            ->  200    
 GET /bar with auth  .. (browser will send auth to other realms!)

It should exhibit this correct behavior (as Apache does):
 GET /foo                       ->  301 to /foo/
 GET /foo/                      ->  401
 GET /foo/ with auth            ->  200
 GET /bar  WITHOUT auth

Otherwise, browsers will cache and send auth information for the
entire domain and not just a protected directory.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>