1 Reply Latest reply on Jun 19, 2004 1:41 AM by Stjepan Brbot

    Bug Workaround: Custom 401 error page fails WWW-Authenticate

    vijayang Newbie

      This is a bug in JBOSS 3.2.2RC4 (with Tomcat as a servlet engine). This seems to be a bug in Tomcat 4.1.27 which shows up in this JBOSS version.

      I have configured custom error pages in my web.xml for each error code as shown below...

      <error-page>
      <error-code>401</error-code>
      /errors/401.htm
      </error-page>
      <error-page>
      <error-code>402</error-code>
      /errors/402.htm
      </error-page>
      ...
      ...


      In my BASIC authentication servlet, I have code like ...

      .....
      protected void authenticate(HttpServletResponse response)
      {
      response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
      response.setHeader("WWW-Authenticate", "Basic realm=\"JavaSecrets\"");
      }
      .....


      You can see the complete code of the example servlet at http://venus.cs.depaul.edu/se452/web-src/forms_BasicAuthentication_java.html


      The "authenticate" method gets invoked each time the "Authorization" header is missing in the HttpServletRequest.

      JBOSS 3.2.2RC4 (with Tomcat as a servlet engine) always returns the "custom" 401 error page if one is configured, and never shows the browser login popup to enable entering the login and password.

      However, if I comment out the "custom" 401 error page definition in my web.xml, I am able to authenticate myself using the Basic Authentication servlet through the browser login popup.

      This means, one cannot have a "custom" 401 error page in the web.xml, if one is doing Basic authentication using a servlet or using the web.xml

      The same behaviour is seen if one configures Basic authentication within the web.xml to have protected domains. So, avoid defining a "custom" 401 error page to get your Basic authentication working.

        • 1. Re: Bug Workaround: Custom 401 error page fails WWW-Authenti
          Stjepan Brbot Newbie

          Exactly I encountered the same stange behaviour in JBoss 3.2.3/Apache 4.1.29 and I would call it a BUG. When one defines 401 custom error message JBoss/Apache does not at all prompt for credentials immidiately showing custom 401.htm page. Comparing 401 custom error message functionality in WebLogic, JBoss should prompt for credentials first and only if user cancels the username/password insertion or three times inserts wrong credentials then JBoss/Apache should show custom error page 401. If one defines 401 custom error message JBoss/Apache do not allow to insert credentials at all.