On Sat, 16 Mar 2002 [EMAIL PROTECTED] wrote:
> Date: Sat, 16 Mar 2002 15:18:34 -0600
> From: [EMAIL PROTECTED]
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: security-constraint and error-page
>
>
> Hmmmm....AFAIK, when the webserver responds with a 401 Unauthorized error,
> the browser shows up an authentication dialog box. But since you have
> configured an 401 error page directive in the web.xml, I think Tomcat
> generates a 401 UnAuthorized response but then like a 404 custom error page
> redirect, it redirects to the notauthorized.jsp instead of sending a 401
> response to the client.
> I think what you desire is something like this (correct me if I'm wrong):
> Tomcat should send a 401 response atleast 3 times (or more) and then
> display a "You are Unauthorized" page back.
> I don't know how to do this in web.xml. Maybe writing a wrapper or filter
> would help. Need to check the code that does Basic Authentication. I think
> it should have some clues. Craig McClanahan is the author of the code.
> Hopefully he throws some light on this topic. I know he's online :-)
>
:-)
Tomcat 4.0.1 had a problem with creating a custom error page for
container-generated status messages like a 401. This was fixed in 4.0.2
and 4.0.3.
However, it's not going to do you any good if you are using BASIC
authentication -- browsers generally just pop up the login dialog box and
don't show the page that came along with it -- and there's nothing Tomcat
can do about that. If you really want to control the look and feel of the
login page, you should use form-based authentication instead of BASIC.
> Thanks.
> RS
Craig
>
>
>
>
>
> [EMAIL PROTECTED] on 03/12/2002 09:33:47 PM
>
> Please respond to "Tomcat Users List" <[EMAIL PROTECTED]>
>
> To: [EMAIL PROTECTED]
> cc:
>
> Subject: security-constraint and error-page
>
> I've setup a security constraint, with basic authentication, in a memory
> realm. It works as expected until I add an error page for the 401 error
> code (unauthorized). Then, when I request the page, I get the 401 error
> page automatically and am never prompted to login. I was expecting to get
> the 401 error page only if I supplied an incorrect login.
>
> What am I doing wrong? (Win2000pro, Tomcat 4.0.3, jdk 1.4) Here is a
> portion of my web.xml:
>
> <error-page>
> <error-code>401</error-code>
> <location>/notauthorized.jsp</location>
> </error-page>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>BrawnerLau Website</web-resource-name>
> <url-pattern>/adminentry.jsp</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>brawnerlau</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>BrawnerLau Website</realm-name>
> </login-config>
>
>
> Thanks,
>
> Jason E. Brawner
> Silenus Group
> (248) 735-8077
>
>
> --
> To unsubscribe: <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe: <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
