• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Authentication failure in Tomcat

 
Tushar Madhukar
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

My web application is using digest authetication on Tomcat.

As mentioned in the HTTP authentication RFC, when a client authentication fails, the server SHOULD send back an HTTP 401 response. Does it mean that specific implementations can send other error response?

I have a requirement in my application that the server should send back an HTTP 403, whether there is an authentication or an authorization failure. Can I configure Tomcat for this?

Thanks
 
Jan Cumps
Bartender
Posts: 2586
11
C++ Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you try this (it's an idea, untested):

There's two steps:
In tomcat, you can specify what error page to show in case of an error (in web.xml).

Apache has a custom response taglib, that can send errors.

If you write a jsp, say 401.jsp, that contains the setstatus tagAnd, In web.xmlYou are actually sending a 403: SC_FORBIDDEN instead of 401: SC_UNAUTHORIZED

Maybe you don't need the taglib, but can just use

Let me know if it worked.

Regards, Jan
 
Tushar Madhukar
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jan,

Configuring error-page in the deployment descriptor is working, as in whenever there is an HTTP 401, the configured JSP sets SC_FORBIDDEN in the response and the client gets a 403.

However, I realised that I wasn't very clear in my problem description. With the above solution, the browser will never get a 401 on authentication failure and hence never ask the user to authenticate, not even the first time he tries to access the secured resource!

I was looking for a scenario where the first browser request results in 401, so that the user can provide credentials and subsequent authentication failures should send back 403.

I am looking whether this conditional response can be confgiured into Tomcat and share it with you, if something comes up.

Thanks anyways!
 
Jan Cumps
Bartender
Posts: 2586
11
C++ Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can use a session parameter to tell if the user already had this 401

You can set a session value the first time the 401.jsp is called, but let it return a 401 if the parameter was not available.

If the session parameter is available,this means the user has already received the 401. Return a 403.

Attention: ugly pseudocode, only intented to propose possible solution
Regards, Jan
[ April 27, 2007: Message edited by: Jan Cumps ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic