Thanks Craig. But I was wondering if there was some way where we could intercept the container generated 401 response before it is sent to the browser. And after a certain count, send a 200 OK response with some page describing that the user does not have access to that resource. Correct me if I'm wrong, but my understanding was that the number of times the server responds with a 401 is dependent on the server (Tomcat, in our case). Or is it actually? Tomcat sends a 401 Unauthorized response twice (if the userid/password is incorrect) and after the third incorrect attempt, Tomcat sends a page back. Is the status code associated with the fourth response a "401 Unauthorized" still or is it some other code since I thought if the browser receives a 401, it displays the login dialog box. According to the HTTP/1.1 rfc: "If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information." With regards to the above quote, does this mean that the browser on receiving the fourth "401 Unauthorized" displays the page that came along with it?
Thanks. RS "Craig R. McClanahan" <[EMAIL PROTECTED]> on 03/16/2002 04:16:31 PM Please respond to "Tomcat Users List" <[EMAIL PROTECTED]> To: Tomcat Users List <[EMAIL PROTECTED]> cc: Subject: Re: security-constraint and error-page On Sat, 16 Mar 2002 [EMAIL PROTECTED] wrote: > Date: Sat, 16 Mar 2002 15:18:34 -0600 > From: [EMAIL PROTECTED] > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: security-constraint and error-page > > > Hmmmm....AFAIK, when the webserver responds with a 401 Unauthorized error, > the browser shows up an authentication dialog box. But since you have > configured an 401 error page directive in the web.xml, I think Tomcat > generates a 401 UnAuthorized response but then like a 404 custom error page > redirect, it redirects to the notauthorized.jsp instead of sending a 401 > response to the client. > I think what you desire is something like this (correct me if I'm wrong): > Tomcat should send a 401 response atleast 3 times (or more) and then > display a "You are Unauthorized" page back. > I don't know how to do this in web.xml. Maybe writing a wrapper or filter > would help. Need to check the code that does Basic Authentication. I think > it should have some clues. Craig McClanahan is the author of the code. > Hopefully he throws some light on this topic. I know he's online :-) > :-) Tomcat 4.0.1 had a problem with creating a custom error page for container-generated status messages like a 401. This was fixed in 4.0.2 and 4.0.3. However, it's not going to do you any good if you are using BASIC authentication -- browsers generally just pop up the login dialog box and don't show the page that came along with it -- and there's nothing Tomcat can do about that. If you really want to control the look and feel of the login page, you should use form-based authentication instead of BASIC. > Thanks. > RS Craig > > > > > > [EMAIL PROTECTED] on 03/12/2002 09:33:47 PM > > Please respond to "Tomcat Users List" <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > cc: > > Subject: security-constraint and error-page > > I've setup a security constraint, with basic authentication, in a memory > realm. It works as expected until I add an error page for the 401 error > code (unauthorized). Then, when I request the page, I get the 401 error > page automatically and am never prompted to login. I was expecting to get > the 401 error page only if I supplied an incorrect login. > > What am I doing wrong? (Win2000pro, Tomcat 4.0.3, jdk 1.4) Here is a > portion of my web.xml: > > <error-page> > <error-code>401</error-code> > <location>/notauthorized.jsp</location> > </error-page> > > <security-constraint> > <web-resource-collection> > <web-resource-name>BrawnerLau Website</web-resource-name> > <url-pattern>/adminentry.jsp</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>brawnerlau</role-name> > </auth-constraint> > </security-constraint> > > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>BrawnerLau Website</realm-name> > </login-config> > > > Thanks, > > Jason E. Brawner > Silenus Group > (248) 735-8077 > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > > > > > > > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
