Caldarale, Charles R wrote:
Since there doesn't seem to be any means of the 401.jsp to interact with
the declared <Realm> to determine or specify the other necessary
attributes for a digest 401 response (e.g., the nonce), it looks like
it's impossible at this time to use a custom 401 handler with
container-managed digest authentication.
I see your point. Given that, I think the real problem is that we have
two descriptors in web.xml that can be in conflict (<login-config> and
<error-page>) in a certain situation (when digest authentication is
specified in <login-config>). Of course once you know the answer, the
path to it is quite obvious. So I'm slapping my forehead and thinking I
should have realized much sooner that the realm name confusion was the
cause of the digest authentication problem.
But we should also ask if there is something here that makes human error
more likely and should be corrected. I know that HTTP 401 response
messages, although classified as error messages, are sent as a normal
response to request messages without authorization headers. Nevertheless
I didn't think about the <error-page> descriptor as possibly affecting
my <login-config> descriptor, and fooled myself into thinking I had
manager app configured identically to the one that was working.
So perhaps the documentation should point out that these two descriptors
can be in conflict. (Maybe it does already, and I didn't notice.) Or
would it make sense for Tomcat to ignore the <error-page> descriptor if
digest authentication is specified in the <login-config> descriptor? One
of these descriptors is going to, in effect, cancel out the other one,
if they're both applied; so why not let the one explicitly set by the
app developer have precedence?
As you observed, the servlet spec doesn't address this, and I realize
that constrains to some extent what Tomcat developers can do to address
it. And I'm no expert on the servlet spec, and I have no experience
developing servlet containers; so I don't know if doing what I suggested
is even legitimate.
Nice bit of research you've done, by the way; thanks for all the work.
Thanks for your help in thinking through what was going on inside Tomcat.
-Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]