7 Replies Latest reply on Feb 4, 2009 3:19 PM by frank schmidt

    error 401

    Erik Lindquist Newbie

      I'm using jboss-4.2.2GA and I'm using it the easiest way I can. I've simply created a directory named ROOT.war under the deploy directory and added a WEB-INF/web.xml file and voila. I also have some restricted pages that are protected by a login-config.
      When I include an error-page element in the web.xml file:

      <error-page>
      <error-code>401</error-code>
      /errorpages/mypage401.html
      </error-page>

      I get an HTTP 401 error every time I try to access a protected page (the auth-method is BASIC). To fix the problem, all I have to do is remove the <error-page> definition.

      Here's the entire web.xml file:

      <?xml version="1.0" encoding="ISO-8859-1"?>

      <!DOCTYPE web-app
      PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
      "http://java.sun.com/dtd/web-app_2_3.dtd">

      <web-app>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>eriktest</web-resource-name>
      eriktest
      <url-pattern>/protected/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Employee</role-name>
      </auth-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      </login-config>

      <error-page>
      <error-code>401</error-code>
      /errorpages/mypage401.html
      </error-page>

      </web-app>

      I've searched and found that a number of people have complained about the same thing but I haven't been able to find a solution. Does one exist?

      Thanks.

        • 1. Re: error 401
          Erik Lindquist Newbie

          ( the < description > tag didn't show up correctly in the above post. it belongs under the web-resource-name.)

          • 2. Re: error 401
            Peter Johnson Master

            Please use code tags when posting XML text (select the text, click the Code button under the editor window). And prereview the post before submitting it.

            You do realize that there is already ROOT.war at deploy/jboss-web.deployer? I wonder what kind of conflicts you are running into between these two...

            What is the exact URL you are entering?

            Also, are you saying that the browser is not displaying the login dialog? If not, what browser?

            • 3. Re: error 401
              Erik Lindquist Newbie

               

              "PeterJ" wrote:

              You do realize that there is already ROOT.war at deploy/jboss-web.deployer? I wonder what kind of conflicts you are running into between these two...


              I'm familiar with it but ... well it's a long story that involves other people. We haven't noticed any conflicts using 4.0.4. (where ROOT.war is under jbossweb-tomcat55.sar) and we've been using that version of jboss for 5+ years.

              "PeterJ" wrote:

              What is the exact URL you are entering?


              i'm accessing it via this href:
              <a href="/protected">protected</a>
              


              "PeterJ" wrote:

              Also, are you saying that the browser is not displaying the login dialog? If not, what browser

              Yep. i'm using IE.

              My ultimate goal is to upgrade to 4.2 so I can do programmatic login/logout using WebAuthentication.

              thanks for your help Peter.


              • 4. Re: error 401
                jaikiran pai Master

                 

                <error-page>
                <error-code>401</error-code>
                /errorpages/mypage401.html
                </error-page>

                I get an HTTP 401 error every time I try to access a protected page (the auth-method is BASIC). To fix the problem, all I have to do is remove the <error-page> definition.


                I'm not an expert in this. But i think, you are configuring the error-page for an incorrect code (401). I guess, what you want is a custom page to be shown when the authentication fails. Isnt it? In that case, you should be configuring the error-page for error-code 403.

                I re-iterate, i am not an expert at this, but from what i read from a thread:


                Basically a browser will always first request a password protected page without authentication details, and your server must always react to that with a 401. (or the user won't get a chance to authenticate) When a browser gets a 401 response it will prompt the user for a username and password, and retry the request, this time with an
                authentication header added. This for a number of times, set in the browser.


                So if you are redirecting the 401 to your custom page, the browser will have no chance to bring up the authentication pop-up.


                • 5. Re: error 401
                  Erik Lindquist Newbie

                  That sounds brilliant except that when the login attempt finally fails (after 3 tries) it fails with error 401 - not 403.

                  Thank you though. You've given me a clue.

                  • 6. Re: error 401
                    jaikiran pai Master

                    Now that you have got the login pop-up appear, the next option to debug is to enable the JBoss Security level logging. See Q4 at http://wiki.jboss.org/wiki/SecurityFAQ to see how that can be done.

                    • 7. Re: error 401
                      frank schmidt Newbie

                      I have exactly the same problem. Is there a solution for JBoss 4.2.3?
                      The same configuration works in JBoss 5.0 !

                      Thanks