GeeCON Prague 2014*
The moose likes Tomcat and the fly likes Authentication failure in Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Tomcat
Bookmark "Authentication failure in Tomcat" Watch "Authentication failure in Tomcat" New topic
Author

Authentication failure in Tomcat

Tushar Madhukar
Ranch Hand

Joined: May 03, 2006
Posts: 36
Hi,

My web application is using digest authetication on Tomcat.

As mentioned in the HTTP authentication RFC, when a client authentication fails, the server SHOULD send back an HTTP 401 response. Does it mean that specific implementations can send other error response?

I have a requirement in my application that the server should send back an HTTP 403, whether there is an authentication or an authorization failure. Can I configure Tomcat for this?

Thanks
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2501
    
    8

Can you try this (it's an idea, untested):

There's two steps:
In tomcat, you can specify what error page to show in case of an error (in web.xml).

Apache has a custom response taglib, that can send errors.

If you write a jsp, say 401.jsp, that contains the setstatus tagAnd, In web.xmlYou are actually sending a 403: SC_FORBIDDEN instead of 401: SC_UNAUTHORIZED

Maybe you don't need the taglib, but can just use

Let me know if it worked.

Regards, Jan


OCUP UML fundamental and ITIL foundation
youtube channel
Tushar Madhukar
Ranch Hand

Joined: May 03, 2006
Posts: 36
Jan,

Configuring error-page in the deployment descriptor is working, as in whenever there is an HTTP 401, the configured JSP sets SC_FORBIDDEN in the response and the client gets a 403.

However, I realised that I wasn't very clear in my problem description. With the above solution, the browser will never get a 401 on authentication failure and hence never ask the user to authenticate, not even the first time he tries to access the secured resource!

I was looking for a scenario where the first browser request results in 401, so that the user can provide credentials and subsequent authentication failures should send back 403.

I am looking whether this conditional response can be confgiured into Tomcat and share it with you, if something comes up.

Thanks anyways!
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2501
    
    8

You can use a session parameter to tell if the user already had this 401

You can set a session value the first time the 401.jsp is called, but let it return a 401 if the parameter was not available.

If the session parameter is available,this means the user has already received the 401. Return a 403.

Attention: ugly pseudocode, only intented to propose possible solution
Regards, Jan
[ April 27, 2007: Message edited by: Jan Cumps ]
 
GeeCON Prague 2014
 
subject: Authentication failure in Tomcat