Summary: | Entering <error-page> in web.xml for error code 401 BASIC unexpected behaviour | ||
---|---|---|---|
Product: | Tomcat 4 | Reporter: | adam neilson <adam> |
Component: | Unknown | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | vincent |
Priority: | P3 | ||
Version: | 4.1.24 | ||
Target Milestone: | --- | ||
Hardware: | Macintosh | ||
OS: | other |
Description
adam neilson
2003-03-16 15:15:19 UTC
The following works in Tomcat 4.1.24: Convert your error page to a jsp and add the following to the top of the file: <% String realmName = "xxx; // Specify the realm name from web.xml response.setHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\""); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %> The 401 response is actually part of the BASIC authentication process (see RFC 2616 for full details) as well as the response when BASIC authentication fails. This specification of an error page for 401 interfers with this dual use. 401 should perhaps be a special case but the servlet spec does not treat it as such. The work-around described above (or something that achieves the same thing) is the way to go if you want a custom error page for a 401. Strictly this bug report is INVALID as tomcat is doing what the spec says it should. |