You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Hans Bergsten <ha...@gefionsoftware.com> on 2000/04/13 06:13:40 UTC
Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/servlets
AuthServlet.java DefaultErrorPage.java
Craig McClanahan wrote:
>
> >craigmcc@locus.apache.org wrote:
> >>
> >> craigmcc 00/04/12 18:45:56
> >>
> >> Modified: src/share/org/apache/tomcat/core ContextManager.java
> >> HttpServletResponseFacade.java
> >> src/share/org/apache/tomcat/servlets AuthServlet.java
> >> DefaultErrorPage.java
> >> Log:
> >> Fix a bug where BASIC authentication fails to trigger the pop-up
> >> dialog box for username and password on IE. This bug was introduced
> >> by my previous fix to HttpServletResponseFacade.java to make it reset
> >> the response inside sendError() and sendRedirect(). Unfortunately,
> >> due to the way Tomcat is currently structured, this caused the
> >> "WWW-Authenticate" message containing the challenge to be erased.
> >>
> >> Netscape Navigator saw the 401 (Unauthorized) error, and popped up a
> >> dialog box anyway, with an "unknown" realm. However, IE didn't see
> >> a "WWW-Authenticate" so it didn't do anything.
> >>
> >> The workaround in this patch is to NOT reset the response if sendError
> >> is called with a status code of 401. I've been staring at this code for
> >> three hours, and cannot see any other way short of a major restructuring
> >> to get around this problem differently.
> >
> >Should this fix be part of 3.1? I assume that the main branch is for the
> >next release now and 3.1 bug fixes must be committed to the tagged branch?
> >
>
> I believe that it should, and was going to propose that (which also means
> rebuilding the release distros) -- but I've been having email problems this
> afternoon.
>
> This fix makes BASIC authentication work again on IE, which seems pretty
> important. What do you think?
I'm all for making it part of 3.1, since I also feel this is important.
The release distros will likely have to be rebuilt anyway. The clarification
I wanted to get before removing my -1 on the release seems to require a change
in the JSP container, based on the feedback on the JSP "expert list" so far.
I expect Eduardo to make a decision tomorrow, and then Mandar need to make the
correction as well.
There are also a few bugs with regards to how JSP syntax errors are reported
that would be nice if they can be corrected in 3.1, but I will not -1 a release
if these fixes can't be made in time.
Hans
--
Hans Bergsten hans@gefionsoftware.com
Gefion Software http://www.gefionsoftware.com