• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Authentication failure in Tomcat

 
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

My web application is using digest authetication on Tomcat.

As mentioned in the HTTP authentication RFC, when a client authentication fails, the server SHOULD send back an HTTP 401 response. Does it mean that specific implementations can send other error response?

I have a requirement in my application that the server should send back an HTTP 403, whether there is an authentication or an authorization failure. Can I configure Tomcat for this?

Thanks
 
Bartender
Posts: 2661
19
Netbeans IDE C++ Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you try this (it's an idea, untested):

There's two steps:
In tomcat, you can specify what error page to show in case of an error (in web.xml).

Apache has a custom response taglib, that can send errors.

If you write a jsp, say 401.jsp, that contains the setstatus tagAnd, In web.xmlYou are actually sending a 403: SC_FORBIDDEN instead of 401: SC_UNAUTHORIZED

Maybe you don't need the taglib, but can just use

Let me know if it worked.

Regards, Jan
 
Tushar Madhukar
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jan,

Configuring error-page in the deployment descriptor is working, as in whenever there is an HTTP 401, the configured JSP sets SC_FORBIDDEN in the response and the client gets a 403.

However, I realised that I wasn't very clear in my problem description. With the above solution, the browser will never get a 401 on authentication failure and hence never ask the user to authenticate, not even the first time he tries to access the secured resource!

I was looking for a scenario where the first browser request results in 401, so that the user can provide credentials and subsequent authentication failures should send back 403.

I am looking whether this conditional response can be confgiured into Tomcat and share it with you, if something comes up.

Thanks anyways!
 
Jan Cumps
Bartender
Posts: 2661
19
Netbeans IDE C++ Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can use a session parameter to tell if the user already had this 401

You can set a session value the first time the 401.jsp is called, but let it return a 401 if the parameter was not available.

If the session parameter is available,this means the user has already received the 401. Return a 403.

Attention: ugly pseudocode, only intented to propose possible solution
Regards, Jan
[ April 27, 2007: Message edited by: Jan Cumps ]
 
I'm still in control here. LOOK at this tiny ad!
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic