aspose file tools*
The moose likes Servlets and the fly likes Servlets BASIC security question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Servlets BASIC security question" Watch "Servlets BASIC security question" New topic
Author

Servlets BASIC security question

Raf Szczypiorski
Ranch Hand

Joined: Aug 21, 2008
Posts: 383
Hi.
I created a few resources, and to be able to use them, the user must be authenticated. Currently I am using BASIC auth-method. What happens is that when the user wants to access the secured resource, the standard HTTP authentication dialog box pops out. When the user authenticates correctly, they are redirected to the requested resource, which is nice :-). When the user doesn't have enough privileges, the HTTP response is 403 (forbidden), and I have an error page for that. So far, so good.
However, suppose the credentials are invalid - the submitted username does not exist, or the username exists, but the password is incorrect. Right now, for me, the authentication dialog keeps popping out over and over again, and when I finally get fed up with seeing it, and press ESC or close it or click Cancel, I am presented with a standard Tomcat error page with the error status set to 401 (authentication needed).
How can I change that? Can this be changed at all? When I specify an error page for 401, I am redirected to it each time the authentication dialog box would show up otherwise
I am using Firefox 3.0.3 on 64bit Kubuntu, and Tomcat 6.0.18.
Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42931
    
  68
It sounds like the error page is also set up to require authentication. You should change the security restriction so that it can be accessed without authentication.
Raf Szczypiorski
Ranch Hand

Joined: Aug 21, 2008
Posts: 383
Hi.
No, the error page is not constrained. The error page for 401 (if specified in web.xml) is invoked every time the server response with HTTP 401 (authentication needed).
Maybe I didn't form the question right. I would like to know a way to limit the number of authentication challenges (for example, to 3 attempts in total, I'm sure I've seen it somewhere, but I'm also pretty sure the server was apache httpd) and how to change the default tomcat error page for 401 when the user decides to press ESC or close the authenticator dialog box.
Thanks.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Servlets BASIC security question