Hi,
I went into similar problems with IE too.
Aparently your "setStatus()" call sets the first WWW-Authenticate header,
after that the following "setHeader()" sends the second.
Try the following calls wich I use and could solve your problem:
response.setHeader("WWW-Authenticate", "BASIC realm=yourRealm");
response.sendError(SC_UNAUTHORISED,
"Message to explain to the user why he can not login");
Hopefully the server will not add second "WWW-Authenticate" header if
you already gave him, or the browser will find yours the first and ignore
the second ( "NTLM" stuff..)
Cezar.
On Tue, 9 Mar
1999, Lame, John wrote:
> I've run into what I consider to be a bizzarre problem in that it
> only shows up when I'm using Internet Explorer to access
> a servlet running under IIS (using JRun but I don't believe that
> that is relevant). If I switch to either a different Browser, or
> a different Server, the problem goes away. Only the two
> working together causes difficulty.
>
> We have a Servlet which checks for Authorization using
>
> String login = req.getHeader("Authorization");
> and, if login is null or invalid, sends back
> res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> res.setHeader("WWW-Authenticate", "BASIC realm=\"" + realmCode() +
> "\"");
>
> This works great using JRun under Nescape Enterprise Server
> with any Browser and works just fine using JRun under IIS as
> long as the Browser isn't Internet Explorer. However, the
> combination of IIS together with Intenet Explorer leads to disaster.
> After tearing my hair out for several hours, I finally discovered the
> following problem. When the servlet sends an SC_UNAUTHORIZED
> through IIS and back to the browser, the actual header received by
> the browser is this. (Extra quotes around Keys and Values are mine.)
>
> "Server"="Microsoft-IIS/4.0"
> "Date"="Wed, 10 Mar 1999 00:07:08 GMT"
> "Connection"="keep-alive"
> "WWW-Authenticate"="NTLM"
> "Content-Type"="text/html"
> "Content-Length"="265"
> "WWW-Authenticate"="BASIC realm="xtLqRyz293""
> "Connection"="Keep-alive"
>
> Apparently IIS is prepending an additional request for authorization
> to the header (thanks a lot bill!). Now if the browser is anything
> other than Internet Explorer, this is not a problem since the "NTLM"
> (NT Lan Manager) Authorization Type is apparently ignored and a
> nice Base64 encoded "username:password" string is sent back.
> However, if the Browser is Internet Explorer, then it sends back
> something completely different. I have no idea how to decode the
> result (is that information available somewhere?) and I don't really
> want to, since, what I'd really like to do is prevent IIS from prepending
> its own WWW-Authenticate line in the first place. Is there any way
> to do this or am I going to be forced to abandon HTTP authentication
> entirely?
>
> Thoughts?
> John
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
Cezar Totth email: [EMAIL PROTECTED]
Fax: (401) 220 33 95
Genesys Software Romania Phone: (401) 638 49 44
Stefan Furtuna 169, sect.6
cod 77171, Bucharest
Romania
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
