This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Hi. I created a few resources, and to be able to use them, the user must be authenticated. Currently I am using BASIC auth-method. What happens is that when the user wants to access the secured resource, the standard HTTP authentication dialog box pops out. When the user authenticates correctly, they are redirected to the requested resource, which is nice :-). When the user doesn't have enough privileges, the HTTP response is 403 (forbidden), and I have an error page for that. So far, so good. However, suppose the credentials are invalid - the submitted username does not exist, or the username exists, but the password is incorrect. Right now, for me, the authentication dialog keeps popping out over and over again, and when I finally get fed up with seeing it, and press ESC or close it or click Cancel, I am presented with a standard Tomcat error page with the error status set to 401 (authentication needed). How can I change that? Can this be changed at all? When I specify an error page for 401, I am redirected to it each time the authentication dialog box would show up otherwise I am using Firefox 3.0.3 on 64bit Kubuntu, and Tomcat 6.0.18. Thanks.
It sounds like the error page is also set up to require authentication. You should change the security restriction so that it can be accessed without authentication.
Joined: Aug 21, 2008
Hi. No, the error page is not constrained. The error page for 401 (if specified in web.xml) is invoked every time the server response with HTTP 401 (authentication needed). Maybe I didn't form the question right. I would like to know a way to limit the number of authentication challenges (for example, to 3 attempts in total, I'm sure I've seen it somewhere, but I'm also pretty sure the server was apache httpd) and how to change the default tomcat error page for 401 when the user decides to press ESC or close the authenticator dialog box. Thanks.