> From: Mark Leone [mailto:[EMAIL PROTECTED]
> Subject: Re: Manager app authentication not working with JDBCRealm
>
> So it seems to me that it is not correct for the realm name
> to be overriden by the error page.
Actually, I think it is. The reason the <realm-name> is cosmetic in the
case of the manager webapp is because of the following line in the
401.jsp file:
response.setHeader("WWW-Authenticate",
"Basic realm=\"Tomcat Manager Application\"");
Since the webapp has declared an override for the normal
container-generated 401 processing, it's the webapp's responsibility to
create the appropriate content for the browser to process. Note that
the above header forces *basic* authentication along with the realm name
(cosmetic for non-digest). However, the <Realm> is operating under the
assumption that digest authentication is to be used, since that's what's
declared in web.xml for the webapp.
Since there doesn't seem to be any means of the 401.jsp to interact with
the declared <Realm> to determine or specify the other necessary
attributes for a digest 401 response (e.g., the nonce), it looks like
it's impossible at this time to use a custom 401 handler with
container-managed digest authentication.
Nice bit of research you've done, by the way; thanks for all the work.
You would think that such interaction between a custom 401 page and
digest authentication would be documented in the servlet spec, but I
can't find any mention of it.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
