You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Hans Bergsten <ha...@gefionsoftware.com> on 2000/04/13 06:13:40 UTC

Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/servlets AuthServlet.java DefaultErrorPage.java

Craig McClanahan wrote:
> 
> >craigmcc@locus.apache.org wrote:
> >>
> >> craigmcc    00/04/12 18:45:56
> >>
> >>   Modified:    src/share/org/apache/tomcat/core ContextManager.java
> >>                         HttpServletResponseFacade.java
> >>                src/share/org/apache/tomcat/servlets AuthServlet.java
> >>                         DefaultErrorPage.java
> >>   Log:
> >>   Fix a bug where BASIC authentication fails to trigger the pop-up
> >>   dialog box for username and password on IE.  This bug was introduced
> >>   by my previous fix to HttpServletResponseFacade.java to make it reset
> >>   the response inside sendError() and sendRedirect().  Unfortunately,
> >>   due to the way Tomcat is currently structured, this caused the
> >>   "WWW-Authenticate" message containing the challenge to be erased.
> >>
> >>   Netscape Navigator saw the 401 (Unauthorized) error, and popped up a
> >>   dialog box anyway, with an "unknown" realm.  However, IE didn't see
> >>   a "WWW-Authenticate" so it didn't do anything.
> >>
> >>   The workaround in this patch is to NOT reset the response if sendError
> >>   is called with a status code of 401.  I've been staring at this code for
> >>   three hours, and cannot see any other way short of a major restructuring
> >>   to get around this problem differently.
> >
> >Should this fix be part of 3.1? I assume that the main branch is for the
> >next release now and 3.1 bug fixes must be committed to the tagged branch?
> >
> 
> I believe that it should, and was going to propose that (which also means
> rebuilding the release distros) -- but I've been having email problems this
> afternoon.
> 
> This fix makes BASIC authentication work again on IE, which seems pretty
> important.  What do you think?

I'm all for making it part of 3.1, since I also feel this is important.
The release distros will likely have to be rebuilt anyway. The clarification 
I wanted to get before removing my -1 on the release seems to require a change 
in the JSP container, based on the feedback on the JSP "expert list" so far. 
I expect Eduardo to make a decision tomorrow, and then Mandar need to make the 
correction as well. 

There are also a few bugs with regards to how JSP syntax errors are reported 
that would be nice if they can be corrected in 3.1, but I will not -1 a release
if these fixes can't be made in time.

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com