tomcat BASIC auth problem

[Drazen Gemic]

Hi !

I have created and configured a Servlet Chain Filter that controls
access to
files inside web application.

I did not set up any logon config parameters in XML. When the
access is restricted filter sets 401 status and terminates processing.

When I try to get the restricted content with browser, I do get
401 response, but accompanied with some HTML and CSS crap that
I haven't coded into the filter. I have no idea where did it
come from.

The problem is that there is no login dialog box. I tried to add
WWW-authenticate header with realm, but does not help.

CSS and HTML crap is some moronic page that explains 401 response, looks
like something one would expect to show after user clicks cancel at
logon dialog.

Tomcat is 5.0.25, browser is Firefox 1.5 on Linux. I have Apache on the
same machine, and everything works perfect with it.

DG

 

[Andy Flowers]

Hi !

I have created and configured a Servlet Chain Filter that controls
access to
files inside web application.

I did not set up any logon config parameters in XML. When the
access is restricted filter sets 401 status and terminates processing.

When I try to get the restricted content with browser, I do get
401 response, but accompanied with some HTML and CSS crap that
I haven't coded into the filter. I have no idea where did it
come from.

The problem is that there is no login dialog box. I tried to add
WWW-authenticate header with realm, but does not help.

CSS and HTML crap is some moronic page that explains 401 response, looks
like something one would expect to show after user clicks cancel at
logon dialog.

Tomcat is 5.0.25, browser is Firefox 1.5 on Linux. I have Apache on the
same machine, and everything works perfect with it.

DG

This is the default behaviour. You have generated an error in your web
application and you have no error page defined to handle this so Tomcat does
it's default behaviour and generates a simple page.

If you add an error page with the required output you want for error 401 then
that will be displayed instead.

i.e. in web.xml put

....
<error-page>
<error-code>401</error-code>
<location>/someerrorhandler.jsp</location>
</error-page>
....

More importantly if you have no way of logging on what exactly are you
protecting and why. Basically what are you trying to achieve ?

 

[Drazen Gemic]

This is the default behaviour. You have generated an error in your web
application and you have no error page defined to handle this so Tomcat
does it's default behaviour and generates a simple page.

If you add an error page with the required output you want for error 401
then that will be displayed instead.

i.e. in web.xml put

...
<error-page>
<error-code>401</error-code>
<location>/someerrorhandler.jsp</location>
</error-page>

Thank you. The look of page itself is not a problem. In fact the
existence of the page is.

What I need is a dialog that prompts for username and password for the
specified realm. The user agent is supposed to show it. In fact, I don't
want to see the error page at all.

I belive that HTML output of the error page output somehow
"confuses" the user agent. I think that I need to supress
the error page somehow. Maybe the empty error page would help ?

...

More importantly if you have no way of logging on what exactly are you
protecting and why. Basically what are you trying to achieve ?

I have a class that contains some access rules, that are based on an
URL that has been requested, and the data that needs to be retrieved
from the database. I have it working flawlessly with a login form, but I
would prefer the standard browser username/password prompt.

Some parts of the web require authentication, some don't. The parts that
require authentication, need the proper level of authorization. I have
no intention to let Tomcat's own mechanism of handling users and
permissions to be involved.

The web application is for the big educational center. They have
courses and classrooms in a couple of cities, and they want to keep the
customers data as private as possible. Every data access is on the need
to know basis.

DG

 

[Andy Flowers]

Andy Flowers wrote:

What I need is a dialog that prompts for username and password for the
specified realm. The user agent is supposed to show it. In fact, I don't
want to see the error page at all.

try putting

((HttpServletResponse)response).setHeader("WWW-Authenticate", "BASIC
realm=\"My Realm \"");

before a call to sendError(401);

 

[Drazen Gemic]

try putting

((HttpServletResponse)response).setHeader("WWW-Authenticate", "BASIC
realm=\"My Realm \"");

before a call to sendError(401);

Good idea, thanks. I'll try it and post the results here.

DG

 

[Andy Flowers]

Good idea, thanks. I'll try it and post the results here.

DG

Take a look at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html and see
the entry for 401. This explains what is required by the protocol.

 

[Juha Laiho]

I have a class that contains some access rules, that are based on an
URL that has been requested, and the data that needs to be retrieved
from the database. I have it working flawlessly with a login form, but I
would prefer the standard browser username/password prompt.

Some parts of the web require authentication, some don't. The parts that
require authentication, need the proper level of authorization. I have
no intention to let Tomcat's own mechanism of handling users and
permissions to be involved.

What would be the reason not to use the AA infrastructure provided by
Tomcat? Looks like the rule processor you've written could easily be
adaptable to fit the Tomcat interfaces, which would make the application
itself independent of that particular AA mechanism.

So, the application would be coded against regular Java servlet AA
interfaces, and you would supply code to adapt Tomcat to whatever
AA mechanism you like.