-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John,
John Caron wrote: > Christopher Schultz wrote: >> Also, you could set the error page that is used when a user doesn't have >> the proper credentials to something that gives you the opportunity to >> re-login in order to access the forbidden resource. When you want to log >> someone out of BASIC authentication, you have to send a blank >> "WWW-Authenticate" header to the client, just the same way that Tomcat >> would do if you weren't already authenticated. > > Is there a way to tell Tomcat to send a blank "WWW-Authenticate" header > to the client when authorization fails? Do you really mean authentication? Forcibly logging a user out doesn't sound right if they hit a page they're not supposed to see... usually a simple FORBIDDEN status is sufficient. > I would like to not use FORM authentication. If you want to use WWW-Authenticate instead of FORM auth, then simply change your <auth-method> in web.xml from FORM to BASIC. Tomcat will handle the details of providing the WWW-Authenticate HTTP status when appropriate. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFrwiQ9CaO5/Lv0PARAtRmAJsEDmbIntBkx4Bm8s0/HlTETzT/0wCgmwBp OmD5hLDcw62ug/kBvYUQWwo= =aiVO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
