wood burning stoves 2.0*
The moose likes Servlets and the fly likes Servlets BASIC security question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Servlets BASIC security question" Watch "Servlets BASIC security question" New topic

Servlets BASIC security question

Raf Szczypiorski
Ranch Hand

Joined: Aug 21, 2008
Posts: 383
I created a few resources, and to be able to use them, the user must be authenticated. Currently I am using BASIC auth-method. What happens is that when the user wants to access the secured resource, the standard HTTP authentication dialog box pops out. When the user authenticates correctly, they are redirected to the requested resource, which is nice :-). When the user doesn't have enough privileges, the HTTP response is 403 (forbidden), and I have an error page for that. So far, so good.
However, suppose the credentials are invalid - the submitted username does not exist, or the username exists, but the password is incorrect. Right now, for me, the authentication dialog keeps popping out over and over again, and when I finally get fed up with seeing it, and press ESC or close it or click Cancel, I am presented with a standard Tomcat error page with the error status set to 401 (authentication needed).
How can I change that? Can this be changed at all? When I specify an error page for 401, I am redirected to it each time the authentication dialog box would show up otherwise
I am using Firefox 3.0.3 on 64bit Kubuntu, and Tomcat 6.0.18.
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 41064
It sounds like the error page is also set up to require authentication. You should change the security restriction so that it can be accessed without authentication.

Ping & DNS - my free Android networking tools app
Raf Szczypiorski
Ranch Hand

Joined: Aug 21, 2008
Posts: 383
No, the error page is not constrained. The error page for 401 (if specified in web.xml) is invoked every time the server response with HTTP 401 (authentication needed).
Maybe I didn't form the question right. I would like to know a way to limit the number of authentication challenges (for example, to 3 attempts in total, I'm sure I've seen it somewhere, but I'm also pretty sure the server was apache httpd) and how to change the default tomcat error page for 401 when the user decides to press ESC or close the authenticator dialog box.
I agree. Here's the link: http://aspose.com/file-tools
subject: Servlets BASIC security question
Similar Threads
selective authentication for a servlet?
HTTP basic authentication in Web Applications
Redirect to the requested page failed using form-based authentication
How to authenticate a web application using web.xml file?Client is java standalone pr
Studying HeadFirst book: cannot make authentification