Hmmmm....AFAIK, when the webserver responds with a 401 Unauthorized error,
the browser shows up an authentication dialog box. But since you have
configured an 401 error page directive in the web.xml, I think Tomcat
generates a 401 UnAuthorized response but then like a 404 custom error page
redirect, it redirects to the notauthorized.jsp instead of sending a 401
response to the client.
I think what you desire is something like this (correct me if I'm wrong):
Tomcat should send a 401 response atleast 3 times (or more) and then
display a "You are Unauthorized" page back.
I don't know how to do this in web.xml. Maybe writing a wrapper or filter
would help. Need to check the code that does Basic Authentication. I think
it should have some clues. Craig McClanahan is the author of the code.
Hopefully he throws some light on this topic. I know he's online :-)

Thanks.
RS





***@silenus.com on 03/12/2002 09:33:47 PM

Please respond to "Tomcat Users List" <tomcat-***@jakarta.apache.org>

To: tomcat-***@jakarta.apache.org
cc:

Subject: security-constraint and error-page

I've setup a security constraint, with basic authentication, in a memory
realm. It works as expected until I add an error page for the 401 error
code (unauthorized). Then, when I request the page, I get the 401 error
page automatically and am never prompted to login. I was expecting to get
the 401 error page only if I supplied an incorrect login.

What am I doing wrong? (Win2000pro, Tomcat 4.0.3, jdk 1.4) Here is a
portion of my web.xml:

<error-page>
<error-code>401</error-code>
<location>/notauthorized.jsp</location>
</error-page>

<security-constraint>
<web-resource-collection>
<web-resource-name>BrawnerLau Website</web-resource-name>
<url-pattern>/adminentry.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>brawnerlau</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>BrawnerLau Website</realm-name>
</login-config>


Thanks,

Jason E. Brawner
Silenus Group
(248) 735-8077


--
To unsubscribe: <mailto:tomcat-user-***@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-***@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-***@jakarta.apache.org>









--
To unsubscribe: <mailto:tomcat-user-***@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-***@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-***@jakarta.apache.org>

Thanks Craig. But I was wondering if there was some way where we could
intercept the container generated 401 response before it is sent to the
browser. And after a certain count, send a 200 OK response with some page
describing that the user does not have access to that resource.
Correct me if I'm wrong, but my understanding was that the number of times
the server responds with a 401 is dependent on the server (Tomcat, in our
case). Or is it actually? Tomcat sends a 401 Unauthorized response twice
(if the userid/password is incorrect) and after the third incorrect
attempt, Tomcat sends a page back. Is the status code associated with the
fourth response a "401 Unauthorized" still or is it some other code since I
thought if the browser receives a 401, it displays the login dialog box.
According to the HTTP/1.1 rfc:
"If the 401 response contains the same challenge as the prior response, and
the user agent has already attempted authentication at least once, then the
user SHOULD be presented the entity that was given in the response, since
that entity MAY include relevant diagnostic information."
With regards to the above quote, does this mean that the browser on
receiving the fourth "401 Unauthorized" displays the page that came along
with it?

Thanks.
RS





"Craig R. McClanahan" <***@apache.org> on 03/16/2002 04:16:31 PM

Please respond to "Tomcat Users List" <tomcat-***@jakarta.apache.org>

To: Tomcat Users List <tomcat-***@jakarta.apache.org>
cc:

Subject: Re: security-constraint and error-page
error,
page
think
:-)

Tomcat 4.0.1 had a problem with creating a custom error page for
container-generated status messages like a 401. This was fixed in 4.0.2
and 4.0.3.

However, it's not going to do you any good if you are using BASIC
authentication -- browsers generally just pop up the login dialog box and
don't show the page that came along with it -- and there's nothing Tomcat
can do about that. If you really want to control the look and feel of the
login page, you should use form-based authentication instead of BASIC.
Craig
get
--
To unsubscribe: <mailto:tomcat-user-***@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-***@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-***@jakarta.apache.org>









--
To unsubscribe: <mailto:tomcat-user-***@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-***@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-***@jakarta.apache.org>

Thanks Craig.

RS
times
I
and
the
You can intercept this, but you'll need to do it with Tomcat-specific
mechanisms (since authentication is happening before your application's
servlets are ever invoked). Authentication is implemented by Valves
inside of Tomcat (very similar to Filters at the web application level),
so you can write and install a Valve of your own that is invoked before
authentication to do this kind of interception.

To get further, you'll need to download the Tomcat 4 source distribution
and look at the org.apache.catalina.Valve interface.
Craig


--
To unsubscribe: <mailto:tomcat-user-***@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-***@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-***@jakarta.apache.org>









--
To unsubscribe: <mailto:tomcat-user-***@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-***@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-***@jakarta.apache.org>