my dog learned polymorphism
The moose likes Tomcat and the fly likes Authentication failure in Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Authentication failure in Tomcat" Watch "Authentication failure in Tomcat" New topic
Author

Authentication failure in Tomcat

Tushar Madhukar
Ranch Hand

Joined: May 03, 2006
Posts: 36
Hi,

My web application is using digest authetication on Tomcat.

As mentioned in the HTTP authentication RFC, when a client authentication fails, the server SHOULD send back an HTTP 401 response. Does it mean that specific implementations can send other error response?

I have a requirement in my application that the server should send back an HTTP 403, whether there is an authentication or an authorization failure. Can I configure Tomcat for this?

Thanks
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2543
    
  10

Can you try this (it's an idea, untested):

There's two steps:
In tomcat, you can specify what error page to show in case of an error (in web.xml).

Apache has a custom response taglib, that can send errors.

If you write a jsp, say 401.jsp, that contains the setstatus tagAnd, In web.xmlYou are actually sending a 403: SC_FORBIDDEN instead of 401: SC_UNAUTHORIZED

Maybe you don't need the taglib, but can just use

Let me know if it worked.

Regards, Jan


OCUP UML fundamental and ITIL foundation
Tushar Madhukar
Ranch Hand

Joined: May 03, 2006
Posts: 36
Jan,

Configuring error-page in the deployment descriptor is working, as in whenever there is an HTTP 401, the configured JSP sets SC_FORBIDDEN in the response and the client gets a 403.

However, I realised that I wasn't very clear in my problem description. With the above solution, the browser will never get a 401 on authentication failure and hence never ask the user to authenticate, not even the first time he tries to access the secured resource!

I was looking for a scenario where the first browser request results in 401, so that the user can provide credentials and subsequent authentication failures should send back 403.

I am looking whether this conditional response can be confgiured into Tomcat and share it with you, if something comes up.

Thanks anyways!
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2543
    
  10

You can use a session parameter to tell if the user already had this 401

You can set a session value the first time the 401.jsp is called, but let it return a 401 if the parameter was not available.

If the session parameter is available,this means the user has already received the 401. Return a 403.

Attention: ugly pseudocode, only intented to propose possible solution
Regards, Jan
[ April 27, 2007: Message edited by: Jan Cumps ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Authentication failure in Tomcat
 
It's not a secret anymore!