FAQ

[Tomcat-users] Basic authentication and custom 401 Not Authorized error page

Joe Tomcat
Sep 5, 2002 at 11:06 pm
I have written an filter that uses Basic Http authorization to control
access to pages. I want to be able to define a custom 401 error page to
show users if they are unable to log in. I should be able to do this by
putting a section like this in my web.xml:

<error-page>
<error-code>401</error-code>
<location>/errors/401.html</location>
</error-page>

However, when I put that entry into the web.xml, when the user clicks to
log in, it goes immediately to the error page, without even hitting my
filter.

I know what is happening: The filter sends a 401 back to the browser to
prompt the user for the password. The container intercepts this 401,
sees that it's an error, and then displays the error page resource.

Is there a way to change or work around this behavior? Surely there is
a way to display a custom 401 error page and still have basic
authentication work?

Thanks for any tips.


--
To unsubscribe, e-mail:
For additional commands, e-mail:
reply

Search Discussions

4 responses

  • Eric Hollander at Sep 6, 2002 at 12:00 am
    I did some more research on this. It looks like it was a Known Bug in
    Tomcat 4.0.2, and it doesn't look like it has been fixed since then (I'm
    using 4.0.4). Tomcat developers, is there any patch or workaround known
    for this?

    I did some digging in the Tomcat source, and it looks like the html
    error pages are generated by this valve:

    org.apache.catalina.valves.ErrorReportValve

    I could definitely edit that valve, putting in my own custom html, and
    then recompile and redploy Catalina. If there is no other way to fix
    that, then that is what I'll do, but I would rather do this in some more
    portable (and easier) way.

    Any tips will be appreciated. Thanks!
    On Thu, 2002-09-05 at 13:01, Joe Tomcat wrote:
    I have written an filter that uses Basic Http authorization to control
    access to pages. I want to be able to define a custom 401 error page to
    show users if they are unable to log in. I should be able to do this by
    putting a section like this in my web.xml:

    <error-page>
    <error-code>401</error-code>
    <location>/errors/401.html</location>
    </error-page>

    However, when I put that entry into the web.xml, when the user clicks to
    log in, it goes immediately to the error page, without even hitting my
    filter.

    I know what is happening: The filter sends a 401 back to the browser to
    prompt the user for the password. The container intercepts this 401,
    sees that it's an error, and then displays the error page resource.

    Is there a way to change or work around this behavior? Surely there is
    a way to display a custom 401 error page and still have basic
    authentication work?

    --
    To unsubscribe, e-mail:
    For additional commands, e-mail:
  • Joe Tomcat at Sep 6, 2002 at 12:20 am

    On Thu, 2002-09-05 at 13:55, Eric Hollander wrote:
    I did some more research on this. It looks like it was a Known Bug in
    Tomcat 4.0.2, and it doesn't look like it has been fixed since then (I'm
    using 4.0.4). Tomcat developers, is there any patch or workaround known
    for this?

    I did some digging in the Tomcat source, and it looks like the html
    error pages are generated by this valve:

    org.apache.catalina.valves.ErrorReportValve
    More information:

    There's a method in org.apache.catalina.core.StandardHost that does
    this:

    private String errorReportValveClass =
    "org.apache.catalina.valves.ErrorReportValve";

    So if there were some way to set the value of errorReportValveClass
    through a config file, at least I wouldn't have to recompile catalina to
    make it show a custom 401 response. I couldn't find out if this value
    is read in from a properties file somewhere, but I sure would love to be
    able to not have to recompile catalina to get this to work.

    Thanks for any tips.


    --
    To unsubscribe, e-mail:
    For additional commands, e-mail:
  • Joe Tomcat at Sep 6, 2002 at 2:22 am
    Here is how you can create a custom 401 (Not Authorized) error response
    in Tomcat. Putting a directive like this:

    <error-page>
    <error-code>401</error-code>
    <location>/errors/401.html</location>
    </error-page>

    in web.xml will not work. If you put that in web.xml, it will deny all
    authorization.

    The thing to do is to create a filter for the resources you want to
    protect. Do the conventional basic authentication in the filter.
    However, here is the part which is different:

    String errorFile = "/errors/401.html";
    response.addHeader("WWW-Authenticate", "BASIC realm=\"" + realm
    + "\"");
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    RequestDispatcher rd = request.getRequestDispatcher(errorFile);
    try { rd.forward(request,response); }

    So instead of letting the container generate the html for the 401
    response, you always generate it using the RequestDispatcher. The
    RequestDispatcher can of course be an html or jsp file.

    So that is the solution to custom 401 errors in Tomcat.


    --
    To unsubscribe, e-mail:
    For additional commands, e-mail:
  • Ben Walding at Sep 6, 2002 at 7:56 am
    It can be made to work...

    Put the error-page directive in as per web.xml spec

    On the jsp / servlet it points at,

    response.addHeader("WWW-Authenticate", "BASIC realm=\"" + realm
    + "\"");
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

    and then write custom page

    And it will challenge (well it did for me...)

    No need for filters or any of that jazz.


    Joe Tomcat wrote:
    Here is how you can create a custom 401 (Not Authorized) error response
    in Tomcat. Putting a directive like this:

    <error-page>
    <error-code>401</error-code>
    <location>/errors/401.html</location>
    </error-page>

    in web.xml will not work. If you put that in web.xml, it will deny all
    authorization.

    The thing to do is to create a filter for the resources you want to
    protect. Do the conventional basic authentication in the filter.
    However, here is the part which is different:

    String errorFile = "/errors/401.html";
    response.addHeader("WWW-Authenticate", "BASIC realm=\"" + realm
    + "\"");
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    RequestDispatcher rd = request.getRequestDispatcher(errorFile);
    try { rd.forward(request,response); }

    So instead of letting the container generate the html for the 401
    response, you always generate it using the RequestDispatcher. The
    RequestDispatcher can of course be an html or jsp file.

    So that is the solution to custom 401 errors in Tomcat.


    --
    To unsubscribe, e-mail: For additional commands, e-mail:




    --
    To unsubscribe, e-mail:
    For additional commands, e-mail:

Related Discussions

Discussion Navigation
viewthread | post