Re: Manager app authentication not working with JDBCRealm

Sat, 22 Mar 2008 07:44:38 -0700 


Caldarale, Charles R wrote:

Since there doesn't seem to be any means of the 401.jsp to interact with
the declared <Realm> to determine or specify the other necessary
attributes for a digest 401 response (e.g., the nonce), it looks like
it's impossible at this time to use a custom 401 handler with
container-managed digest authentication.


  

I see your point. Given that, I think the real problem is that we have 
two descriptors in web.xml that can be in conflict (<login-config> and 
<error-page>) in a certain situation (when digest authentication is 
specified in <login-config>). Of course once you know the answer, the 
path to it is quite obvious. So I'm slapping my forehead and thinking I 
should have realized much sooner that  the realm name confusion was the 
cause of the digest authentication problem.



But we should also ask if there is something here that makes human error 
more likely and should be corrected. I know that HTTP 401 response 
messages, although classified as error messages,  are sent as a normal 
response to request messages without authorization headers. Nevertheless 
I didn't think about the <error-page> descriptor as possibly affecting 
my <login-config> descriptor, and fooled myself into thinking I had 
manager app configured identically to the one that was working.



So perhaps the documentation should point out that these two descriptors 
can be in conflict. (Maybe it does already, and I didn't notice.) Or 
would it make sense for Tomcat to ignore the <error-page> descriptor if 
digest authentication is specified in the <login-config> descriptor? One 
of these descriptors is going to, in effect, cancel out the other one, 
if they're both applied; so why not let the one explicitly set by the 
app developer have precedence?



As you observed, the servlet spec doesn't address this, and I realize 
that constrains to some extent what Tomcat developers can do to address 
it. And I'm no expert on the servlet spec, and I have no experience 
developing servlet containers; so I don't know if doing what I suggested 
is even legitimate.

Nice bit of research you've done, by the way; thanks for all the work.


  

Thanks for your help in thinking through what was going on inside Tomcat.

-Mark

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
























					Reply via email to