Hi
I'm using TC4 built from CVS on 17 Feb, and I'm scratching my head about
a strange problem when i try and access 2 webapps which have the same
realm name in their web.xml file, as in:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myRealm</realm-name>
If I visit these webapps using a HTTP 1.0 client (eg NS 4.7, or IE 5 or
5.5 with "Use HTTP 1.1" deselected), i get the expected sequence of a
401 error, at which point the browser presents the authentication
dialog; then on subsequent protected pages, the browser responds to the
401 error with authentication information without involving the users.
If I visit these webapps using either IE 5 or 5.5 in their default HTTP
1.1 enabled mode, then what happens is this:
For IE 5.5, when i visit the first page, i am asked to authenticate.
Then, when i visit the second page (on my setup, this is in a second
webapp, but with the same realm-name), i am presented with a blank
screen. The tomcat logs show the 401 response, but they DO NOT show a
subsequent request in which the authentication information is provided
by the browser.
HOWEVER, according to my packet sniffer, that request _is_ being sent,
however Tomcat never responds to it:
G E T / T e s t D r i v e / p r o t e c t e d / s h o w
H o m e D i r e c t o r y H T T P / 1 . 1
H T T P / 1 . 1 4 0 1 U n a u t h o r i z e d
W W W - A u t h e n t i c a t e : B a s i c r e a l m
= " m y R e a l m "
G E T / T e s t D r i v e / p r o t e c t e d / s h o w
H o m e D i r e c t o r y H T T P / 1 . 1
A u t h o r i z a t i o n : B a s i c Z n J l Z D p u
Z X J r
[Tomcat sends the page]
G E T / S m a r t P r e c e d e n t S e r v e
r / a s k I n t e r v i e w P r
e f e r e n c e s ? I D = % 2 F
f i l e s % 2 F d e m o n s t r
a t i o n % 2 F T e s t 2 S A f
o r R e p o s i t o r y . x m l
& r e p o s i t o r y n a m e =
T e s t D r i v e H T T P / 1
. 1
H T T P / 1 . 1 4 0 1 U n a u t h o r i z e d
W W W - A u t h e n t i c a t e : B a s i c r e a l m =
" m y R e a l m "
G E T / S m a r t P r e c e d e n t S e r v e
r / a s k I n t e r v i e w P r
e f e r e n c e s ? I D = % 2 F
f i l e s % 2 F d e m o n s t r
a t i o n % 2 F T e s t 2 S A f
o r R e p o s i t o r y . x m l
& r e p o s i t o r y n a m e =
T e s t D r i v e H T T P / 1
. 1
A u t h o r i z a t i o n : B a s i c Z n J l Z D p u
Z X J r
Clicking refresh successfully grabs the page for me, without me having
to type any authentication info again. So i think this might a bug in
Tomcat 4's HTTP 1.1 connector (since things are okay with a 1.0 client)?
With IE 5, the second time Tomcat sends a 401, IE asks me to
authenticate, even though the WWW-Authenticate header is the same one it
has seen before. This looks to me like a bug in IE 5.
Any thoughts? BTW, i'm not using the single sign on support valve.
thanks
Jason
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
