1 Reply Latest reply on Aug 1, 2011 7:17 AM by Wolfgang Knauf

    Authentication occasionally failing

    Tanya Ruttenberg Expert

      Jboss Server 5.1.

       

      Our users are occasionally getting 401 error code from the server. This seems to correspond with the following errors in the jboss error log

       

      2011-07-25 10:59:06,091 WARN  [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-172.17.187.200-80-4) Authentication was performed despite already being authenticated!

      2011-07-25 10:59:10,908 WARN  [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-172.17.187.200-80-4) Authentication was performed despite already being authenticated!

      2011-07-25 10:59:12,588 WARN  [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-172.17.187.200-80-4) Authentication was performed despite already being authenticated!

       

      We're not exactly sure, because there is no identifying information in this message, but these messages seem to coincide with the user hitting the unauthorized.html page.

       

      We have a custom "unauthorized" page which is invoked properly much of the time.  From web.xml

       

        <security-constraint>
          <display-name>Allow access to Unauthorized error page</display-name>
          <web-resource-collection>
            <web-resource-name>HTML</web-resource-name>
            <url-pattern>*.html</url-pattern>
          </web-resource-collection>
        </security-constraint>

        <error-page>
          <error-code>401</error-code>
          <location>/unauthorized.html</location>
        </error-page>

       

      Please let me know if you need any more information. I didn't set this up originally, but I'm trying to understand how it works.

       

      TDR

        • 1. Re: Authentication occasionally failing
          Wolfgang Knauf Master

          Hi,

           

          the security constraint snippet has the purpose to allow access to all "html" files for everyone I assume? If this is true, I think the allowed roles are missing:

           

           

          {code:xml}

          <security-constraint>

              <display-name>Allow access to Unauthorized error page</display-name>

              <web-resource-collection>

                <web-resource-name>HTML</web-resource-name>

                <url-pattern>*.html</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                 <role-name>*</role-name>

               </auth-constraint>

            </security-constraint>

          {code}

           

           

          Hope this helps

           

          Wolfgang