subject:"security\-constraint and error\-page"

Re: security-constraint and error-page

2002-03-18 Thread rsequeira



Thanks Craig.

RS





"Craig R. McClanahan" <[EMAIL PROTECTED]> on 03/18/2002 11:40:51 AM

Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>

To:   Tomcat Users List <[EMAIL PROTECTED]>
cc:




On Mon, 18 Mar 2002 [EMAIL PROTECTED] wrote:

> Date: Mon, 18 Mar 2002 08:44:56 -0600
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: security-constraint and error-page
>
>
> Thanks Craig. But I was wondering if there was some way where we could
> intercept the container generated 401 response before it is sent to the
> browser. And after a certain count, send a 200 OK response with some page
> describing that the user does not have access to that resource.
> Correct me if I'm wrong, but my understanding was that the number of
times
> the server responds with a 401 is dependent on the server (Tomcat, in our
> case). Or is it actually? Tomcat sends a 401 Unauthorized response twice
> (if the userid/password is incorrect) and after the third incorrect
> attempt, Tomcat sends a page back. Is the status code associated with the
> fourth response a "401 Unauthorized" still or is it some other code since
I
> thought if the browser receives a 401, it displays the login dialog box.
> According to the HTTP/1.1 rfc:
> "If the 401 response contains the same challenge as the prior response,
and
> the user agent has already attempted authentication at least once, then
the
> user SHOULD be presented the entity that was given in the response, since
> that entity MAY include relevant diagnostic information."
> With regards to the above quote, does this mean that the browser on
> receiving the fourth "401 Unauthorized" displays the page that came along
> with it?
>

You can intercept this, but you'll need to do it with Tomcat-specific
mechanisms (since authentication is happening before your application's
servlets are ever invoked).  Authentication is implemented by Valves
inside of Tomcat (very similar to Filters at the web application level),
so you can write and install a Valve of your own that is invoked before
authentication to do this kind of interception.

To get further, you'll need to download the Tomcat 4 source distribution
and look at the org.apache.catalina.Valve interface.

> Thanks.
> RS

Craig


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>









--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: security-constraint and error-page

2002-03-18 Thread Craig R. McClanahan




On Mon, 18 Mar 2002 [EMAIL PROTECTED] wrote:

> Date: Mon, 18 Mar 2002 08:44:56 -0600
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: security-constraint and error-page
>
>
> Thanks Craig. But I was wondering if there was some way where we could
> intercept the container generated 401 response before it is sent to the
> browser. And after a certain count, send a 200 OK response with some page
> describing that the user does not have access to that resource.
> Correct me if I'm wrong, but my understanding was that the number of times
> the server responds with a 401 is dependent on the server (Tomcat, in our
> case). Or is it actually? Tomcat sends a 401 Unauthorized response twice
> (if the userid/password is incorrect) and after the third incorrect
> attempt, Tomcat sends a page back. Is the status code associated with the
> fourth response a "401 Unauthorized" still or is it some other code since I
> thought if the browser receives a 401, it displays the login dialog box.
> According to the HTTP/1.1 rfc:
> "If the 401 response contains the same challenge as the prior response, and
> the user agent has already attempted authentication at least once, then the
> user SHOULD be presented the entity that was given in the response, since
> that entity MAY include relevant diagnostic information."
> With regards to the above quote, does this mean that the browser on
> receiving the fourth "401 Unauthorized" displays the page that came along
> with it?
>

You can intercept this, but you'll need to do it with Tomcat-specific
mechanisms (since authentication is happening before your application's
servlets are ever invoked).  Authentication is implemented by Valves
inside of Tomcat (very similar to Filters at the web application level),
so you can write and install a Valve of your own that is invoked before
authentication to do this kind of interception.

To get further, you'll need to download the Tomcat 4 source distribution
and look at the org.apache.catalina.Valve interface.

> Thanks.
> RS

Craig


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: security-constraint and error-page

2002-03-18 Thread rsequeira

Thanks Craig. But I was wondering if there was some way where we could
intercept the container generated 401 response before it is sent to the
browser. And after a certain count, send a 200 OK response with some page
describing that the user does not have access to that resource.
Correct me if I'm wrong, but my understanding was that the number of times
the server responds with a 401 is dependent on the server (Tomcat, in our
case). Or is it actually? Tomcat sends a 401 Unauthorized response twice
(if the userid/password is incorrect) and after the third incorrect
attempt, Tomcat sends a page back. Is the status code associated with the
fourth response a "401 Unauthorized" still or is it some other code since I
thought if the browser receives a 401, it displays the login dialog box.
According to the HTTP/1.1 rfc:
"If the 401 response contains the same challenge as the prior response, and
the user agent has already attempted authentication at least once, then the
user SHOULD be presented the entity that was given in the response, since
that entity MAY include relevant diagnostic information."
With regards to the above quote, does this mean that the browser on
receiving the fourth "401 Unauthorized" displays the page that came along
with it?

Thanks.
RS

"Craig R. McClanahan" <[EMAIL PROTECTED]> on 03/16/2002 04:16:31 PM

Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>

To:   Tomcat Users List <[EMAIL PROTECTED]>
cc:

Subject:  Re: security-constraint and error-page

On Sat, 16 Mar 2002 [EMAIL PROTECTED] wrote:

> Date: Sat, 16 Mar 2002 15:18:34 -0600
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: security-constraint and error-page
>
>
> HAFAIK, when the webserver responds with a 401 Unauthorized
error,
> the browser shows up an authentication dialog box. But since you have
> configured an 401 error page directive in the web.xml, I think Tomcat
> generates a 401 UnAuthorized response but then like a 404 custom error
page
> redirect,  it redirects to the notauthorized.jsp instead of sending a 401
> response to the client.
> I think what you desire is something like this (correct me if I'm wrong):
> Tomcat should send a 401 response atleast 3 times (or more) and then
> display a "You are Unauthorized" page back.
> I don't know how to do this in web.xml. Maybe writing a wrapper or filter
> would help. Need to check the code that does Basic Authentication. I
think
> it should have some clues. Craig McClanahan is the author of the code.
> Hopefully he throws some light on this topic. I know he's online :-)
>

:-)

Tomcat 4.0.1 had a problem with creating a custom error page for
container-generated status messages like a 401.  This was fixed in 4.0.2
and 4.0.3.

However, it's not going to do you any good if you are using BASIC
authentication -- browsers generally just pop up the login dialog box and
don't show the page that came along with it -- and there's nothing Tomcat
can do about that.  If you really want to control the look and feel of the
login page, you should use form-based authentication instead of BASIC.

> Thanks.
> RS

Craig

>
>
>
>
>
> [EMAIL PROTECTED] on 03/12/2002 09:33:47 PM
>
> Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>
>
> To:   [EMAIL PROTECTED]
> cc:
>
> Subject:  security-constraint and error-page
>
> I've setup a security constraint, with basic authentication, in a memory
> realm.  It works as expected until I add an error page for the 401 error
> code (unauthorized). Then, when I request the page, I get the 401 error
> page automatically and am never prompted to login.  I was expecting to
get
> the 401 error page only if I supplied an incorrect login.
>
> What am I doing wrong?  (Win2000pro, Tomcat 4.0.3, jdk 1.4)   Here is a
> portion of my web.xml:
>
>   
> 401
> /notauthorized.jsp
>   
>
>   
> 
>   BrawnerLau Website
>   /adminentry.jsp
> 
> 
>   brawnerlau
> 
>   
>
>   
> BASIC
> BrawnerLau Website
>   
>
>
> Thanks,
>
> Jason E. Brawner
> Silenus Group
> (248) 735-8077
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: security-constraint and error-page

2002-03-16 Thread Craig R. McClanahan




On Sat, 16 Mar 2002 [EMAIL PROTECTED] wrote:

> Date: Sat, 16 Mar 2002 15:18:34 -0600
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: security-constraint and error-page
>
>
> HAFAIK, when the webserver responds with a 401 Unauthorized error,
> the browser shows up an authentication dialog box. But since you have
> configured an 401 error page directive in the web.xml, I think Tomcat
> generates a 401 UnAuthorized response but then like a 404 custom error page
> redirect,  it redirects to the notauthorized.jsp instead of sending a 401
> response to the client.
> I think what you desire is something like this (correct me if I'm wrong):
> Tomcat should send a 401 response atleast 3 times (or more) and then
> display a "You are Unauthorized" page back.
> I don't know how to do this in web.xml. Maybe writing a wrapper or filter
> would help. Need to check the code that does Basic Authentication. I think
> it should have some clues. Craig McClanahan is the author of the code.
> Hopefully he throws some light on this topic. I know he's online :-)
>

:-)

Tomcat 4.0.1 had a problem with creating a custom error page for
container-generated status messages like a 401.  This was fixed in 4.0.2
and 4.0.3.

However, it's not going to do you any good if you are using BASIC
authentication -- browsers generally just pop up the login dialog box and
don't show the page that came along with it -- and there's nothing Tomcat
can do about that.  If you really want to control the look and feel of the
login page, you should use form-based authentication instead of BASIC.

> Thanks.
> RS

Craig

>
>
>
>
>
> [EMAIL PROTECTED] on 03/12/2002 09:33:47 PM
>
> Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>
>
> To:   [EMAIL PROTECTED]
> cc:
>
> Subject:  security-constraint and error-page
>
> I've setup a security constraint, with basic authentication, in a memory
> realm.  It works as expected until I add an error page for the 401 error
> code (unauthorized). Then, when I request the page, I get the 401 error
> page automatically and am never prompted to login.  I was expecting to get
> the 401 error page only if I supplied an incorrect login.
>
> What am I doing wrong?  (Win2000pro, Tomcat 4.0.3, jdk 1.4)   Here is a
> portion of my web.xml:
>
>   
> 401
> /notauthorized.jsp
>   
>
>   
> 
>   BrawnerLau Website
>   /adminentry.jsp
> 
> 
>   brawnerlau
> 
>   
>
>   
> BASIC
> BrawnerLau Website
>   
>
>
> Thanks,
>
> Jason E. Brawner
> Silenus Group
> (248) 735-8077
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: security-constraint and error-page

2002-03-16 Thread rsequeira



HAFAIK, when the webserver responds with a 401 Unauthorized error,
the browser shows up an authentication dialog box. But since you have
configured an 401 error page directive in the web.xml, I think Tomcat
generates a 401 UnAuthorized response but then like a 404 custom error page
redirect,  it redirects to the notauthorized.jsp instead of sending a 401
response to the client.
I think what you desire is something like this (correct me if I'm wrong):
Tomcat should send a 401 response atleast 3 times (or more) and then
display a "You are Unauthorized" page back.
I don't know how to do this in web.xml. Maybe writing a wrapper or filter
would help. Need to check the code that does Basic Authentication. I think
it should have some clues. Craig McClanahan is the author of the code.
Hopefully he throws some light on this topic. I know he's online :-)

Thanks.
RS





[EMAIL PROTECTED] on 03/12/2002 09:33:47 PM

Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>

To:   [EMAIL PROTECTED]
cc:

Subject:  security-constraint and error-page

I've setup a security constraint, with basic authentication, in a memory
realm.  It works as expected until I add an error page for the 401 error
code (unauthorized). Then, when I request the page, I get the 401 error
page automatically and am never prompted to login.  I was expecting to get
the 401 error page only if I supplied an incorrect login.

What am I doing wrong?  (Win2000pro, Tomcat 4.0.3, jdk 1.4)   Here is a
portion of my web.xml:

  
401
/notauthorized.jsp
  

  

  BrawnerLau Website
  /adminentry.jsp


  brawnerlau

  

  
BASIC
BrawnerLau Website
  


Thanks,

Jason E. Brawner
Silenus Group
(248) 735-8077


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>









--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

security-constraint and error-page

2002-03-12 Thread JBrawner


I've setup a security constraint, with basic authentication, in a memory
realm.  It works as expected until I add an error page for the 401 error
code (unauthorized). Then, when I request the page, I get the 401 error
page automatically and am never prompted to login.  I was expecting to get
the 401 error page only if I supplied an incorrect login.

What am I doing wrong?  (Win2000pro, Tomcat 4.0.3, jdk 1.4)   Here is a
portion of my web.xml:

  
401
/notauthorized.jsp
  

  

  BrawnerLau Website
  /adminentry.jsp


  brawnerlau

  

  
BASIC
BrawnerLau Website
  


Thanks,

Jason E. Brawner
Silenus Group
(248) 735-8077


--
To unsubscribe:   
For additional commands: 
Troubles with the list:

Re: security-constraint and error-page

Re: security-constraint and error-page

Re: security-constraint and error-page

Re: security-constraint and error-page

Re: security-constraint and error-page

security-constraint and error-page

6 matches

Site Navigation

Mail list logo

Footer information