0 Replies Latest reply on Mar 16, 2009 10:29 PM by L L

    Tomcat fails to send WWW-Authenticate header when custom 401

    L L Newbie

      I'm running jboss-3.2.7 and need to use a custom 401 error page with my servlets. But by doing so, I don't get a dialog box asking me to authenticate and it immediately errors out and displays the custom 401 page. If I comment out the following from my web.xml,

      <error-page>
       <error-code>401</error-code>
       <location>/unauth.jsp</location>
      </error-page>


      then I properly get the dialog box prompting me to log in, but the default Tomcat/5.0.30 error page is used. After doing some cURL tests, I noticed that when I use a custom 401 error page, I lose the WWW-Authentication header that is passed via:

      resp.setHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
      resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);


      Searching the Internet shows that this could be a bug in many versions of Tomcat. Is there a fix or work-around for this bug?