You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Dhiraj Ramakrishnan <st...@gmail.com> on 2006/08/04 02:24:25 UTC

401 Page not getting displayed on failed BASIC authentication

Hello,

     I am facing a problem with BASIC authentication. On failure of
authentication i want the application to go to a servlet where i can find
out who failed authentication and log the results in the database.

     In my web.xml i have mentioned that on 401 error , the application
should go to my servlet.

     But tomcat is not behaving that way it does not go to my servlet, it
just goes to the default 401 error page.

    Another thing i found was that in my web.xml i have mentioned that my
servlet is without any security constraint. TOMCAT does not seem to
recognize this. If i try to access my servlet with the full path, the
servlet is shown only after the BASIC authentication.

     My web.xml condensed,

      <error-page>
          <error-code>401</error-code>
         <location>/unsecured/UnAuthenticatedErrorServlet</location>
      </error-page>

   <security-constraint>
    <web-resource-collection>
      <web-resource-name> API</web-resource-name>
      <description>Access to the  API</description>
      <url-pattern>/services/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
      <description>These roles are allowed access</description>
      <role-name>IPMS_SYSTEM_ADMINISTRATOR</role-name>
      <role-name>USER_ADMINISTRATOR</role-name>
    </auth-constraint>
  </security-constraint>

<!--  Using basic authentication -->
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>MYRealm</realm-name>
  </login-config>

i try to access http://localhost:8080/services/ it shows up the dialogue box
but if the authentication is failed it goes to the default tomcat 401 page.

i try to access http://localhost:8080/unsecured/ UnAuthenticatedErrorServlet
it still shows up the dialogue box though i have explicitly stated that it
shouldnot authenticate for this URL

Please let me know your ideas on this. Any other suggestions are also
welcome.

Thanks
Dhiraj Ramakrishnan