You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Manger, James H" <Ja...@team.telstra.com> on 2011/09/20 09:31:50 UTC
manager and host-manager have 401.jsp that is not used
The manager and host-manager apps included with Tomcat 7.0.21 are both:
* configured to use BASIC authentication; and
* configured with a custom error page for 401 (unauthenticated) error codes.
However, the customer error page is never used by Tomcat.
tomcat/webapps/[host-]manager/WEB-INF/web.xml has
...
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
...
<error-page>
<error-code>401</error-code>
<location>/WEB-INF/jsp/401.jsp</location>
</error-page>
The 401.jsp file has lots of useful information that would be helpful to display to a user if they cancel their browser's BASIC login prompt.
A custom 401.jsp file worked with BASIC in Tomcat 5.5.23.
Is 401.jsp supposed to be used in the manager and host-manager apps?
Or is it a relic that should be removed?
Or is it kept for cases where a different style of authentication is configured that might use 401.jsp?
I hope I can provide a custom message when a user cancels a BASIC login. The manager and host-manager apps appear to try to do what I want. But they don't work.
--
James Manger
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: manager and host-manager have 401.jsp that is not used
Posted by Mark Thomas <ma...@apache.org>.
On 21/09/2011 01:03, Manger, James H wrote:
>> On 20/09/2011 08:31, Manger, James H wrote:
>>> The manager and host-manager apps included with Tomcat 7.0.21 are both:
>>> * configured to use BASIC authentication; and
>>> * configured with a custom error page for 401 (unauthenticated) error codes.
>>> However, the customer error page is never used by Tomcat.
>>>
>> ...
>>> The 401.jsp file has lots of useful information that would be helpful to display to a user if they cancel their browser's BASIC login prompt.
>
>> http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
>>
>> Currently the 4th entry for 7.0.22
>>
>> Mark
>
> Great!
> I confirmed 401.jsp is being used properly in 7.0.20.
>
> I couldn't find any release schedule for 7.0.22 (with the fix) at the Tomcat web site. Are tentative release dates listed anywhere? Tomcat releases appear to be frequent enough (about monthly, thanks!!) that a date for the next release is not too crucial, but it would be nice to have an estimate now that I know it includes a fix I want.
Tomcat releases happen as the need arises and as the committers (who are
volunteers after all) have time to generate them.
As the current Tomcat 7 release manager, I have been producing a Tomcat
7 release at roughly the beginning of each month since the first
release. I have no plans at the moment to change this cycle so I'll
start the next release around the beginning of October and if all goes
well it should be available a week or so later. As with any such plans
they may slip if life and/or work need me to spend my time elsewhere.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: manager and host-manager have 401.jsp that is not used
Posted by "Manger, James H" <Ja...@team.telstra.com>.
>On 20/09/2011 08:31, Manger, James H wrote:
>> The manager and host-manager apps included with Tomcat 7.0.21 are both:
>> * configured to use BASIC authentication; and
>> * configured with a custom error page for 401 (unauthenticated) error codes.
>> However, the customer error page is never used by Tomcat.
>>
>...
>> The 401.jsp file has lots of useful information that would be helpful to display to a user if they cancel their browser's BASIC login prompt.
> http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
>
> Currently the 4th entry for 7.0.22
>
> Mark
Great!
I confirmed 401.jsp is being used properly in 7.0.20.
I couldn't find any release schedule for 7.0.22 (with the fix) at the Tomcat web site. Are tentative release dates listed anywhere? Tomcat releases appear to be frequent enough (about monthly, thanks!!) that a date for the next release is not too crucial, but it would be nice to have an estimate now that I know it includes a fix I want.
P.S. Thanks for making it unnecessary to include the following line in 401.jsp:
response.setHeader("WWW-Authenticate", "Basic ...");
It was removed from 401.jsp in March 2011 (revision 1084109).
I am not sure which change made it unnecessary (and if the change includes the 5.x and/or 6.x branches).
--
James Manger
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: manager and host-manager have 401.jsp that is not used
Posted by "Manger, James H" <Ja...@team.telstra.com>.
> P.S. Thanks for making it unnecessary to include the following line in 401.jsp:
> response.setHeader("WWW-Authenticate", "Basic ...");
> It was removed from 401.jsp in March 2011 (revision 1084109).
> I am not sure which change made it unnecessary (and if the change includes the 5.x and/or 6.x > branches).
>
> --
> James Manger
That issue was fixed in 6.0.19 (~Nov 2008)
https://issues.apache.org/bugzilla/show_bug.cgi?id=42409
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: manager and host-manager have 401.jsp that is not used
Posted by Mark Thomas <ma...@apache.org>.
On 20/09/2011 08:31, Manger, James H wrote:
> The manager and host-manager apps included with Tomcat 7.0.21 are both:
> * configured to use BASIC authentication; and
> * configured with a custom error page for 401 (unauthenticated) error codes.
> However, the customer error page is never used by Tomcat.
>
> tomcat/webapps/[host-]manager/WEB-INF/web.xml has
> ...
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
> </login-config>
> ...
> <error-page>
> <error-code>401</error-code>
> <location>/WEB-INF/jsp/401.jsp</location>
> </error-page>
>
> The 401.jsp file has lots of useful information that would be helpful to display to a user if they cancel their browser's BASIC login prompt.
>
> A custom 401.jsp file worked with BASIC in Tomcat 5.5.23.
>
> Is 401.jsp supposed to be used in the manager and host-manager apps?
> Or is it a relic that should be removed?
> Or is it kept for cases where a different style of authentication is configured that might use 401.jsp?
http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Currently the 4th entry for 7.0.22
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org