37934 – Tomcat does not follow SRV 12.8.3 regarding empty auth-constraint

Bug 37934 - Tomcat does not follow SRV 12.8.3 regarding empty auth-constraint

Summary: Tomcat does not follow SRV 12.8.3 regarding empty auth-constraint

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 5
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	5.5.14
Hardware:	All Windows XP

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-12-16 07:22 UTC by Nam T. Nguyen
Modified:	2005-12-16 00:14 UTC (History)
CC List:	0 users

Attachments
the test web archive (851 bytes, application/octet-stream) 2005-12-16 07:23 UTC, Nam T. Nguyen	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nam T. Nguyen 2005-12-16 07:22:30 UTC

Point 2 in Section SRV 12.8.3 in servlet spec states the container shall reject 
a request (403) if access to such resource has been precluded by an empty auth-
constraint element.

However, Tomcat up to 5.5.14 returns 401 in the test.

How to reproduce:
- Deploy attached file
- Visit http://localhost:8080/httpmethod/HTTPMethod/POST

This should not ask for any credential at all.

Comment 1 Nam T. Nguyen 2005-12-16 07:23:20 UTC

Created attachment 17230 [details]
the test web archive

Comment 2 william.barker 2005-12-16 09:14:19 UTC

This is fixed now in SVN trunk, and will appear in 5.5.15.

Thanks for the report!