This is a bug in JBOSS 3.2.2RC4 (with Tomcat as a servlet engine). This seems to be a bug in Tomcat 4.1.27 which shows up in this JBOSS version.

I have configured custom error pages in my web.xml for each error code as shown below...

<error-page>
<error-code>401</error-code>
/errors/401.htm
</error-page>
<error-page>
<error-code>402</error-code>
/errors/402.htm
</error-page>
...
...

In my BASIC authentication servlet, I have code like ...

.....
protected void authenticate(HttpServletResponse response)
{
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "Basic realm=\"JavaSecrets\"");
}
.....

You can see the complete code of the example servlet at http://venus.cs.depaul.edu/se452/web-src/forms_BasicAuthentication_java.html


The "authenticate" method gets invoked each time the "Authorization" header is missing in the HttpServletRequest.

JBOSS 3.2.2RC4 (with Tomcat as a servlet engine) always returns the "custom" 401 error page if one is configured, and never shows the browser login popup to enable entering the login and password.

However, if I comment out the "custom" 401 error page definition in my web.xml, I am able to authenticate myself using the Basic Authentication servlet through the browser login popup.

This means, one cannot have a "custom" 401 error page in the web.xml, if one is doing Basic authentication using a servlet or using the web.xml

The same behaviour is seen if one configures Basic authentication within the web.xml to have protected domains. So, avoid defining a "custom" 401 error page to get your Basic authentication working.