My web application is using digest authetication on Tomcat.
As mentioned in the HTTP authentication RFC, when a client authentication fails, the server SHOULD send back an HTTP 401 response. Does it mean that specific implementations can send other error response?
I have a requirement in my application that the server should send back an HTTP 403, whether there is an authentication or an authorization failure. Can I configure Tomcat for this?
Configuring error-page in the deployment descriptor is working, as in whenever there is an HTTP 401, the configured JSP sets SC_FORBIDDEN in the response and the client gets a 403.
However, I realised that I wasn't very clear in my problem description. With the above solution, the browser will never get a 401 on authentication failure and hence never ask the user to authenticate, not even the first time he tries to access the secured resource!
I was looking for a scenario where the first browser request results in 401, so that the user can provide credentials and subsequent authentication failures should send back 403.
I am looking whether this conditional response can be confgiured into Tomcat and share it with you, if something comes up.