Re: security-constraint and error-page

Sat, 16 Mar 2002 13:03:43 -0800 


Hmmmm....AFAIK, when the webserver responds with a 401 Unauthorized error,
the browser shows up an authentication dialog box. But since you have
configured an 401 error page directive in the web.xml, I think Tomcat
generates a 401 UnAuthorized response but then like a 404 custom error page
redirect,  it redirects to the notauthorized.jsp instead of sending a 401
response to the client.
I think what you desire is something like this (correct me if I'm wrong):
Tomcat should send a 401 response atleast 3 times (or more) and then
display a "You are Unauthorized" page back.
I don't know how to do this in web.xml. Maybe writing a wrapper or filter
would help. Need to check the code that does Basic Authentication. I think
it should have some clues. Craig McClanahan is the author of the code.
Hopefully he throws some light on this topic. I know he's online :-)

Thanks.
RS





[EMAIL PROTECTED] on 03/12/2002 09:33:47 PM

Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>

To:   [EMAIL PROTECTED]
cc:

Subject:  security-constraint and error-page

I've setup a security constraint, with basic authentication, in a memory
realm.  It works as expected until I add an error page for the 401 error
code (unauthorized). Then, when I request the page, I get the 401 error
page automatically and am never prompted to login.  I was expecting to get
the 401 error page only if I supplied an incorrect login.

What am I doing wrong?  (Win2000pro, Tomcat 4.0.3, jdk 1.4)   Here is a
portion of my web.xml:

  <error-page>
    <error-code>401</error-code>
    <location>/notauthorized.jsp</location>
  </error-page>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>BrawnerLau Website</web-resource-name>
      <url-pattern>/adminentry.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>brawnerlau</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>BrawnerLau Website</realm-name>
  </login-config>


Thanks,

Jason E. Brawner
Silenus Group
(248) 735-8077


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>









--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Reply via email to