 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / May 2006tomcat BASIC auth problem
Hi ! I have created and configured a Servlet Chain Filter that controls access to files inside web application. I did not set up any logon config parameters in XML. When the access is restricted filter sets 401 status and terminates processing. When I try to get the restricted content with browser, I do get 401 response, but accompanied with some HTML and CSS crap that I haven't coded into the filter. I have no idea where did it come from. The problem is that there is no login dialog box. I tried to add WWW-authenticate header with realm, but does not help. CSS and HTML crap is some moronic page that explains 401 response, looks like something one would expect to show after user clicks cancel at logon dialog. Tomcat is 5.0.25, browser is Firefox 1.5 on Linux. I have Apache on the same machine, and everything works perfect with it. DG > Hi ! > [quoted text clipped - 21 lines] > > DG This is the default behaviour. You have generated an error in your web application and you have no error page defined to handle this so Tomcat does it's default behaviour and generates a simple page. If you add an error page with the required output you want for error 401 then that will be displayed instead. i.e. in web.xml put ... <error-page> <error-code>401</error-code> <location>/someerrorhandler.jsp</location> </error-page> ... More importantly if you have no way of logging on what exactly are you protecting and why. Basically what are you trying to achieve ? > This is the default behaviour. You have generated an error in your web > application and you have no error page defined to handle this so Tomcat [quoted text clipped - 10 lines] > <location>/someerrorhandler.jsp</location> > </error-page> Thank you. The look of page itself is not a problem. In fact the existence of the page is. What I need is a dialog that prompts for username and password for the specified realm. The user agent is supposed to show it. In fact, I don't want to see the error page at all. I belive that HTML output of the error page output somehow "confuses" the user agent. I think that I need to supress the error page somehow. Maybe the empty error page would help ? > ... > > More importantly if you have no way of logging on what exactly are you > protecting and why. Basically what are you trying to achieve ? I have a class that contains some access rules, that are based on an URL that has been requested, and the data that needs to be retrieved from the database. I have it working flawlessly with a login form, but I would prefer the standard browser username/password prompt. Some parts of the web require authentication, some don't. The parts that require authentication, need the proper level of authorization. I have no intention to let Tomcat's own mechanism of handling users and permissions to be involved. The web application is for the big educational center. They have courses and classrooms in a couple of cities, and they want to keep the customers data as private as possible. Every data access is on the need to know basis. DG > What I need is a dialog that prompts for username and password for the > specified realm. The user agent is supposed to show it. In fact, I don't > want to see the error page at all. try putting ((HttpServletResponse)response).setHeader("WWW-Authenticate", "BASIC realm=\"My Realm \""); before a call to sendError(401); >> What I need is a dialog that prompts for username and password for the >> specified realm. The user agent is supposed to show it. In fact, I don't [quoted text clipped - 6 lines] > > before a call to sendError(401); Good idea, thanks. I'll try it and post the results here. DG >>> What I need is a dialog that prompts for username and password for >>> the specified realm. The user agent is supposed to show it. In fact, [quoted text clipped - 11 lines] > > DG Take a look at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html and see the entry for 401. This explains what is required by the protocol. Drazen Gemic <anyone@anywhere.tk> said: >I have a class that contains some access rules, that are based on an >URL that has been requested, and the data that needs to be retrieved [quoted text clipped - 5 lines] >no intention to let Tomcat's own mechanism of handling users and >permissions to be involved. What would be the reason not to use the AA infrastructure provided by Tomcat? Looks like the rule processor you've written could easily be adaptable to fit the Tomcat interfaces, which would make the application itself independent of that particular AA mechanism. So, the application would be coded against regular Java servlet AA interfaces, and you would supply code to adapt Tomcat to whatever AA mechanism you like.  SignatureWolf a.k.a. Juha Laiho Espoo, Finland (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++ "...cancel my subscription to the resurrection!" (Jim Morrison) Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.