Thanks Craig.
RS "Craig R. McClanahan" <[EMAIL PROTECTED]> on 03/18/2002 11:40:51 AM Please respond to "Tomcat Users List" <[EMAIL PROTECTED]> To: Tomcat Users List <[EMAIL PROTECTED]> cc: On Mon, 18 Mar 2002 [EMAIL PROTECTED] wrote: > Date: Mon, 18 Mar 2002 08:44:56 -0600 > From: [EMAIL PROTECTED] > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: security-constraint and error-page > > > Thanks Craig. But I was wondering if there was some way where we could > intercept the container generated 401 response before it is sent to the > browser. And after a certain count, send a 200 OK response with some page > describing that the user does not have access to that resource. > Correct me if I'm wrong, but my understanding was that the number of times > the server responds with a 401 is dependent on the server (Tomcat, in our > case). Or is it actually? Tomcat sends a 401 Unauthorized response twice > (if the userid/password is incorrect) and after the third incorrect > attempt, Tomcat sends a page back. Is the status code associated with the > fourth response a "401 Unauthorized" still or is it some other code since I > thought if the browser receives a 401, it displays the login dialog box. > According to the HTTP/1.1 rfc: > "If the 401 response contains the same challenge as the prior response, and > the user agent has already attempted authentication at least once, then the > user SHOULD be presented the entity that was given in the response, since > that entity MAY include relevant diagnostic information." > With regards to the above quote, does this mean that the browser on > receiving the fourth "401 Unauthorized" displays the page that came along > with it? > You can intercept this, but you'll need to do it with Tomcat-specific mechanisms (since authentication is happening before your application's servlets are ever invoked). Authentication is implemented by Valves inside of Tomcat (very similar to Filters at the web application level), so you can write and install a Valve of your own that is invoked before authentication to do this kind of interception. To get further, you'll need to download the Tomcat 4 source distribution and look at the org.apache.catalina.Valve interface. > Thanks. > RS Craig -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
