Bug 37934

Summary: Tomcat does not follow SRV 12.8.3 regarding empty auth-constraint
Product: Tomcat 5 Reporter: Nam T. Nguyen <tnnguyen>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 5.5.14   
Target Milestone: ---   
Hardware: All   
OS: Windows XP   
Attachments: the test web archive

Description Nam T. Nguyen 2005-12-16 07:22:30 UTC 
Point 2 in Section SRV 12.8.3 in servlet spec states the container shall reject 
a request (403) if access to such resource has been precluded by an empty auth-
constraint element.

However, Tomcat up to 5.5.14 returns 401 in the test.

How to reproduce:
- Deploy attached file
- Visit http://localhost:8080/httpmethod/HTTPMethod/POST

This should not ask for any credential at all.
Comment 1 Nam T. Nguyen 2005-12-16 07:23:20 UTC 
Created attachment 17230 [details]
the test web archive
Comment 2 william.barker 2005-12-16 09:14:19 UTC 
This is fixed now in SVN trunk, and will appear in 5.5.15.

Thanks for the report!