FAQ

Christopher Schultz wrote:

Also, you could set the error page that is used when a user doesn't have
the proper credentials to something that gives you the opportunity to
re-login in order to access the forbidden resource. When you want to log
someone out of BASIC authentication, you have to send a blank
"WWW-Authenticate" header to the client, just the same way that Tomcat
would do if you weren't already authenticated.
Is there a way to tell Tomcat to send a blank "WWW-Authenticate" header to the client when authorization fails? I would like to not use FORM authentication.

thanks for any help

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Search Discussions

  • Christopher Schultz at Jan 18, 2007 at 5:44 am
    John,

    John Caron wrote:
    Christopher Schultz wrote:
    Also, you could set the error page that is used when a user doesn't have
    the proper credentials to something that gives you the opportunity to
    re-login in order to access the forbidden resource. When you want to log
    someone out of BASIC authentication, you have to send a blank
    "WWW-Authenticate" header to the client, just the same way that Tomcat
    would do if you weren't already authenticated.
    Is there a way to tell Tomcat to send a blank "WWW-Authenticate" header
    to the client when authorization fails?
    Do you really mean authentication? Forcibly logging a user out doesn't
    sound right if they hit a page they're not supposed to see... usually a
    simple FORBIDDEN status is sufficient.
    I would like to not use FORM authentication.
    If you want to use WWW-Authenticate instead of FORM auth, then simply
    change your <auth-method> in web.xml from FORM to BASIC. Tomcat will
    handle the details of providing the WWW-Authenticate HTTP status when
    appropriate.

    - -chris
    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Fisher, Mitchell L at Jan 21, 2007 at 6:32 pm

    Christopher Schultz wrote:
    Also, you could set the error page that is used when a user doesn't
    have
    the proper credentials to something that gives you the opportunity to
    re-login in order to access the forbidden resource. When you want to
    log
    someone out of BASIC authentication, you have to send a blank
    "WWW-Authenticate" header to the client, just the same way that
    Tomcat
    would do if you weren't already authenticated.
    Could you expand on this? RFC2616 (HTTP/1.1)
    (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47) says
    of the WWW-Authenticate header:

    "The field value consists of at least one challenge that indicates the
    authentication scheme(s) and parameters applicable to the Request-URI."

    Which clients would take a null WWW-Authenticate header to mean log out?

    -Mitch

    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Martin Gainty at Jan 21, 2007 at 8:04 pm
    this is correct
    The authenticate header must identify at least one Authentication challenge (Basic,Digest,SPAP,MSCHAP whatever)

    with regards to Basic Authentication
    "To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 [7] encoded string in the credentials."
    found in RFC 2617
    http://www.ietf.org/rfc/rfc2617.txt

    As the concept of no authentication challenge is not addressed specifically I would *default* to implementing "Basic Authentication"

    Anyone else?
    M-
    ---------------------------------------------------------------------------
    This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited.
    ---------------------------------------------------------------------------
    Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire.
    ----- Original Message -----
    From: "Fisher, Mitchell L" <Mitchell.Fisher@unisys.com>
    To: "Tomcat Users List" <users@tomcat.apache.org>
    Sent: Sunday, January 21, 2007 1:31 PM
    Subject: RE: how to tell Tomcat to send a blank "WWW-Authenticate" header?


    Christopher Schultz wrote:
    Also, you could set the error page that is used when a user doesn't
    have
    the proper credentials to something that gives you the opportunity to
    re-login in order to access the forbidden resource. When you want to
    log
    someone out of BASIC authentication, you have to send a blank
    "WWW-Authenticate" header to the client, just the same way that
    Tomcat
    would do if you weren't already authenticated.
    Could you expand on this? RFC2616 (HTTP/1.1)
    (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47) says
    of the WWW-Authenticate header:

    "The field value consists of at least one challenge that indicates the
    authentication scheme(s) and parameters applicable to the Request-URI."

    Which clients would take a null WWW-Authenticate header to mean log out?

    -Mitch

    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Christopher Schultz at Jan 21, 2007 at 8:14 pm
    Mitch,

    Fisher, Mitchell L wrote:
    Christopher Schultz wrote:
    When you want to log someone out of BASIC authentication, you
    have to send a blank "WWW-Authenticate" header to the client,
    just the same way that Tomcat would do if you weren't already
    authenticated.
    Could you expand on this? RFC2616 (HTTP/1.1)
    (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47) says
    of the WWW-Authenticate header:

    "The field value consists of at least one challenge that indicates the
    authentication scheme(s) and parameters applicable to the Request-URI."

    Which clients would take a null WWW-Authenticate header to mean log out?
    I think I was a little unclear before. It's not that the client's
    browser takes a "null" WWW-Auth response to log you out... it's that the
    presence of this header in the response indicates that any existing
    WWW-Auth information that had been sent to the server was incorrect. The
    browser should respond by asking the user for their credentials again.

    The browser doesn't care if the "old" credentials were perfectly valid,
    or that the "new" set are actually the same as the old ones. It just
    knows that receipt of a WWW-Auth header from the server means "any creds
    you may have sent me are not suitable", and the browser takes
    appropriate action.

    The effect is that of being logged-out.

    - -chris

    ---------------------------------------------------------------------
    To start a new topic, e-mail: users@tomcat.apache.org
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriestomcat
postedJan 18, '07 at 1:43a
activeJan 21, '07 at 8:14p
posts5
users4
websitetomcat.apache.org
irc#tomcat

People

Translate

site design / logo © 2021 Grokbase