You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Bob Tanner <ta...@real-time.com> on 2000/05/16 10:38:40 UTC

WWW-Authenticate broken (in general, specifically for non-Netscape)

I wrote a simple little program to display the http headers for a request. 

I ran this program against apache 1.3.12 and a directory that has an .htaccess
which requires BASIC WWW-Authenticate to proceed and Tomcat 3.2 dev with
<auth-method>BASIC</auth-method>

First, the apache 1.3.12 with .htaccess results:

Field:HTTP/1.1 401 Authorization Required
Key:null
Field:Tue, 16 May 2000 06:43:12 GMT
Key:Date
Field:Apache/1.3.12 (Unix) ApacheJServ/1.1.1b2-dev PHP/3.0.15
Key:Server
Field:Basic realm="Restricted Access"
Key:WWW-Authenticate
Field:close
Key:Connection
Field:text/html; charset=iso-8859-1
Key:Content-Type

Next the Tomcat 3.2 dev and <auth-method>BASIC</auth-method> results:

Field:HTTP/1.1 401
Key:null
Field:Tue, 16 May 2000 08:22:16 GMT
Key:Date
Field:Apache/1.3.12 (Unix)  (Red Hat/Linux) tomcat/1.0 PHP/3.0.15
Key:Server
Field:en
Key:Content-Language
Field:Tomcat Web Server/3.2 dev (JSP 1.1; Servlet 2.2; Java 1.2.2; Linux
2.2.13 i386; java.vendor=Sun Microsystems Inc.)
Key:Servlet-Engine
Field:close
Key:Connection
Field:text/plain
Key:Content-Type

What I don't understand is why doesn't Tomcat return the Key: 
WWW-Authenticate? 

Here is the web.xml file:

    <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
         <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/jsp/*</url-pattern>
         <!-- If you list http methods, only those methods are protected -->
         <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
         <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>tomcat</role-name>
         <role-name>tole1</role-name>
         </auth-constraint>
    </security-constraint>

    <!-- Default login configuration uses BASIC authentication -->
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Secure Area</realm-name>
    </login-config>

Editing the src/share/org/apache/tomcat/servlets/BasicLoginServlet.java and
sticking in some debugging, I see the code does set the WWW-Authenticate to 
Basic realm="Secure Area", as the web.xml specifies.

BUT netscape reponds with 'Enter username for unknown at host.domain.com'
dialog box. I believe this is because the WWW-Authenticate header is not set
in the response.

There looks like there is a bug in the BasicLoginServlet.java or the
servlet.jar file. Somehow the WWW-Authenticate header is not being set.

I experimented by changing the response.sendError to this:

response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authorization Required");

But I still only get 'HTTP/1.1 401'. No text of 'Authorization Required' to
this message.

I believe all these little things add up to the problem that only netscape
works with Tomcat's BASIC Authentication.

I tracked this down to the initContext, but from there the code gets a little
out of my skill set.

Any pointers on how to proceed to tracking this bug down?

-- 
Bob Tanner <ta...@real-time.com>       | Phone : (952)943-8700
http://www.mn-linux.org                 | Fax   : (952)943-8500
Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9