DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23802>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23802 Bug Workaround: Custom 401 error page fails WWW-Authenticate header Summary: Bug Workaround: Custom 401 error page fails WWW- Authenticate header Product: Tomcat 4 Version: 4.1.27 Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Normal Priority: Other Component: Connector:Coyote HTTP/1.1 AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] This is a bug in JBOSS 3.2.2RC4 (with Tomcat as a servlet engine). It is also a bug in Tomcat 4.1.27 which shows up in this JBOSS version. I have configured custom error pages in my web.xml for each error code as shown below... <error-page> <error-code>401</error-code> <location>/errors/401.htm</location> </error-page> <error-page> <error-code>402</error-code> <location>/errors/402.htm</location> </error-page> ... ... In my BASIC authentication servlet, I have code like ... ..... protected void authenticate(HttpServletResponse response) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setHeader("WWW-Authenticate", "Basic realm=\"JavaSecrets\""); } ..... You can see the complete code of the example servlet at http://venus.cs.depaul.edu/se452/web-src/forms_BasicAuthentication_java.html The "authenticate" method gets invoked each time the "Authorization" header is missing in the HttpServletRequest. JBOSS 3.2.2RC4 (with Tomcat as a servlet engine) always returns the "custom" 401 error page if one is configured, and never shows the browser login popup to enable entering the login and password. However, if I comment out the "custom" 401 error page definition in my web.xml, I am able to authenticate myself using the Basic Authentication servlet through the browser login popup. This means, one cannot have a "custom" 401 error page in the web.xml, if one is doing Basic authentication using a servlet. The same behaviour is seen if one configures Basic authentication within the web.xml to have protected domains. So, avoid defining a "custom" 401 error page to get your Basic authentication working. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
