Changing content of response on canceled basic authentication

[Oliver Schoenwald <ol...@FernUni-Hagen.de>]

Hello fellow tomcat users,

I'm running Tomcat 5.5.4 with Apache 2.0.54 and mod_jk.
The system uses basic authentication to serve certain pages
for authenticated users.

One of my users said that if he enters my system and is
being asked to authenticate via that popup-windows, he
sometimes hits the cancel-button of that popup-window.
After that he his shown a page that seems to be generated
from tomcat:


  HTTP Status 401 - unauthorized

------------------------------------------------------------------------

*type* Status report

*message* _unauthorized_

*description* _This request requires HTTP authentication (unauthorized)._

------------------------------------------------------------------------


      Apache Tomcat/5.5.7


The users said (and I concur) that this page is not only too technical,
but it doesn't contain any informations for users that have forgotten
their passwords or have to apply for their own account.

Recently I tried out to set the <error-page> in web.xml for 
response-code 401
to show a certain page with infos about forgotten passwords and how to 
apply for a new
account, but after I restarted the server noone was able to login any 
longer.
Whenever someone tried to open one page that required authentication,
the defined error-page for error 401 was shown and no authentication request
was passed to the client.

Here some internas about my application:

My web application is handling authentication internally, meaning I don't
use an authentication realm in web.xml. A central Controller-Servlet (the
one and only servlet of the whole web application, viva MVC) decides when
a certain request requires authentication. When the requires credentials are
not already part of the request, the Controller-Servlet sends the following
as response using the Servlet-API:

response.setHeader("WWW-Authenticate","Basic realm=\"MySystem\"");
response.sendError(401,"unauthorized");

Note: response is the HttpServletResponse-Object.

When no error-page for error 401 is defined in web.xml that works properly.

Here my questions:
Can I configure tomcat properly without changing its code to send another
authentication required-page instead of the defaut error-content?


Thank you in advance,

Oliver Schönwald
Germany

Re: Changing content of response on canceled basic authentication

[Oliver Schoenwald <ol...@FernUni-Hagen.de>]

Hello David,

this solved my problem! Now my site works as wanted.

Thank you very very much,

Oliver Schoenwald
Germany

David Delbecq schrieb:

>put your response.setHeader("WWW-Authenticate","Basic
>realm=\"MySystem\""); insode your error page instead of authentification
>servlet. (I guess sendError() clear all headers)
>
>
>
>Oliver Schoenwald a écrit :
>
>  
>
>>Hello fellow tomcat users,
>>
>>I'm running Tomcat 5.5.4 with Apache 2.0.54 and mod_jk.
>>The system uses basic authentication to serve certain pages
>>for authenticated users.
>>
>>One of my users said that if he enters my system and is
>>being asked to authenticate via that popup-windows, he
>>sometimes hits the cancel-button of that popup-window.
>>After that he his shown a page that seems to be generated
>>from tomcat:
>>
>>
>> HTTP Status 401 - unauthorized
>>
>>------------------------------------------------------------------------
>>
>>*type* Status report
>>
>>*message* _unauthorized_
>>
>>*description* _This request requires HTTP authentication (unauthorized)._
>>
>>------------------------------------------------------------------------
>>
>>
>>     Apache Tomcat/5.5.7
>>
>>
>>The users said (and I concur) that this page is not only too technical,
>>but it doesn't contain any informations for users that have forgotten
>>their passwords or have to apply for their own account.
>>
>>Recently I tried out to set the <error-page> in web.xml for
>>response-code 401
>>to show a certain page with infos about forgotten passwords and how to
>>apply for a new
>>account, but after I restarted the server noone was able to login any
>>longer.
>>Whenever someone tried to open one page that required authentication,
>>the defined error-page for error 401 was shown and no authentication
>>request
>>was passed to the client.
>>
>>Here some internas about my application:
>>
>>My web application is handling authentication internally, meaning I don't
>>use an authentication realm in web.xml. A central Controller-Servlet (the
>>one and only servlet of the whole web application, viva MVC) decides when
>>a certain request requires authentication. When the requires
>>credentials are
>>not already part of the request, the Controller-Servlet sends the
>>following
>>as response using the Servlet-API:
>>
>>response.setHeader("WWW-Authenticate","Basic realm=\"MySystem\"");
>>response.sendError(401,"unauthorized");
>>
>>Note: response is the HttpServletResponse-Object.
>>
>>When no error-page for error 401 is defined in web.xml that works
>>properly.
>>
>>Here my questions:
>>Can I configure tomcat properly without changing its code to send another
>>authentication required-page instead of the defaut error-content?
>>
>>
>>Thank you in advance,
>>
>>Oliver Schönwald
>>Germany
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Changing content of response on canceled basic authentication

[David Delbecq <de...@oma.be>]

put your response.setHeader("WWW-Authenticate","Basic
realm=\"MySystem\""); insode your error page instead of authentification
servlet. (I guess sendError() clear all headers)



Oliver Schoenwald a écrit :

> Hello fellow tomcat users,
>
> I'm running Tomcat 5.5.4 with Apache 2.0.54 and mod_jk.
> The system uses basic authentication to serve certain pages
> for authenticated users.
>
> One of my users said that if he enters my system and is
> being asked to authenticate via that popup-windows, he
> sometimes hits the cancel-button of that popup-window.
> After that he his shown a page that seems to be generated
> from tomcat:
>
>
>  HTTP Status 401 - unauthorized
>
> ------------------------------------------------------------------------
>
> *type* Status report
>
> *message* _unauthorized_
>
> *description* _This request requires HTTP authentication (unauthorized)._
>
> ------------------------------------------------------------------------
>
>
>      Apache Tomcat/5.5.7
>
>
> The users said (and I concur) that this page is not only too technical,
> but it doesn't contain any informations for users that have forgotten
> their passwords or have to apply for their own account.
>
> Recently I tried out to set the <error-page> in web.xml for
> response-code 401
> to show a certain page with infos about forgotten passwords and how to
> apply for a new
> account, but after I restarted the server noone was able to login any
> longer.
> Whenever someone tried to open one page that required authentication,
> the defined error-page for error 401 was shown and no authentication
> request
> was passed to the client.
>
> Here some internas about my application:
>
> My web application is handling authentication internally, meaning I don't
> use an authentication realm in web.xml. A central Controller-Servlet (the
> one and only servlet of the whole web application, viva MVC) decides when
> a certain request requires authentication. When the requires
> credentials are
> not already part of the request, the Controller-Servlet sends the
> following
> as response using the Servlet-API:
>
> response.setHeader("WWW-Authenticate","Basic realm=\"MySystem\"");
> response.sendError(401,"unauthorized");
>
> Note: response is the HttpServletResponse-Object.
>
> When no error-page for error 401 is defined in web.xml that works
> properly.
>
> Here my questions:
> Can I configure tomcat properly without changing its code to send another
> authentication required-page instead of the defaut error-content?
>
>
> Thank you in advance,
>
> Oliver Schönwald
> Germany
>
>
>
>
>
>
>
>
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org