You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Bob Tanner <ta...@real-time.com> on 2000/05/16 10:38:40 UTC
WWW-Authenticate broken (in general, specifically for non-Netscape)
I wrote a simple little program to display the http headers for a request.
I ran this program against apache 1.3.12 and a directory that has an .htaccess
which requires BASIC WWW-Authenticate to proceed and Tomcat 3.2 dev with
<auth-method>BASIC</auth-method>
First, the apache 1.3.12 with .htaccess results:
Field:HTTP/1.1 401 Authorization Required
Key:null
Field:Tue, 16 May 2000 06:43:12 GMT
Key:Date
Field:Apache/1.3.12 (Unix) ApacheJServ/1.1.1b2-dev PHP/3.0.15
Key:Server
Field:Basic realm="Restricted Access"
Key:WWW-Authenticate
Field:close
Key:Connection
Field:text/html; charset=iso-8859-1
Key:Content-Type
Next the Tomcat 3.2 dev and <auth-method>BASIC</auth-method> results:
Field:HTTP/1.1 401
Key:null
Field:Tue, 16 May 2000 08:22:16 GMT
Key:Date
Field:Apache/1.3.12 (Unix) (Red Hat/Linux) tomcat/1.0 PHP/3.0.15
Key:Server
Field:en
Key:Content-Language
Field:Tomcat Web Server/3.2 dev (JSP 1.1; Servlet 2.2; Java 1.2.2; Linux
2.2.13 i386; java.vendor=Sun Microsystems Inc.)
Key:Servlet-Engine
Field:close
Key:Connection
Field:text/plain
Key:Content-Type
What I don't understand is why doesn't Tomcat return the Key:
WWW-Authenticate?
Here is the web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>tole1</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses BASIC authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Secure Area</realm-name>
</login-config>
Editing the src/share/org/apache/tomcat/servlets/BasicLoginServlet.java and
sticking in some debugging, I see the code does set the WWW-Authenticate to
Basic realm="Secure Area", as the web.xml specifies.
BUT netscape reponds with 'Enter username for unknown at host.domain.com'
dialog box. I believe this is because the WWW-Authenticate header is not set
in the response.
There looks like there is a bug in the BasicLoginServlet.java or the
servlet.jar file. Somehow the WWW-Authenticate header is not being set.
I experimented by changing the response.sendError to this:
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authorization Required");
But I still only get 'HTTP/1.1 401'. No text of 'Authorization Required' to
this message.
I believe all these little things add up to the problem that only netscape
works with Tomcat's BASIC Authentication.
I tracked this down to the initContext, but from there the code gets a little
out of my skill set.
Any pointers on how to proceed to tracking this bug down?
--
Bob Tanner <ta...@real-time.com> | Phone : (952)943-8700
http://www.mn-linux.org | Fax : (952)943-8500
Key fingerprint = 6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9