Bug 37934 - Tomcat does not follow SRV 12.8.3 regarding empty auth-constraint
Tomcat does not follow SRV 12.8.3 regarding empty auth-constraint
Product: Tomcat 5
Classification: Unclassified
Component: Catalina
All Windows XP
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2005-12-16 07:22 UTC by Nam T. Nguyen
Modified: 2005-12-16 00:14 UTC (History)
0 users

the test web archive (851 bytes, application/octet-stream)
2005-12-16 07:23 UTC, Nam T. Nguyen

Note You need to log in before you can comment on or make changes to this bug.
Description Nam T. Nguyen 2005-12-16 07:22:30 UTC
Point 2 in Section SRV 12.8.3 in servlet spec states the container shall reject 
a request (403) if access to such resource has been precluded by an empty auth-
constraint element.

However, Tomcat up to 5.5.14 returns 401 in the test.

How to reproduce:
- Deploy attached file
- Visit http://localhost:8080/httpmethod/HTTPMethod/POST

This should not ask for any credential at all.
Comment 1 Nam T. Nguyen 2005-12-16 07:23:20 UTC
Created attachment 17230 [details]
the test web archive
Comment 2 william.barker 2005-12-16 09:14:19 UTC
This is fixed now in SVN trunk, and will appear in 5.5.15.

Thanks for the report!