Changing content of response on canceled basic authentication

Thu, 23 Feb 2006 04:50:55 -0800 

Hello fellow tomcat users,

I'm running Tomcat 5.5.4 with Apache 2.0.54 and mod_jk.
The system uses basic authentication to serve certain pages
for authenticated users.

One of my users said that if he enters my system and is
being asked to authenticate via that popup-windows, he
sometimes hits the cancel-button of that popup-window.
After that he his shown a page that seems to be generated
from tomcat:


 HTTP Status 401 - unauthorized

------------------------------------------------------------------------

*type* Status report

*message* _unauthorized_

*description* _This request requires HTTP authentication (unauthorized)._

------------------------------------------------------------------------


     Apache Tomcat/5.5.7


The users said (and I concur) that this page is not only too technical,
but it doesn't contain any informations for users that have forgotten
their passwords or have to apply for their own account.
Recently I tried out to set the <error-page> in web.xml for response-code 401 to show a certain page with infos about forgotten passwords and how to apply for a new account, but after I restarted the server noone was able to login any longer. 
Whenever someone tried to open one page that required authentication,
the defined error-page for error 401 was shown and no authentication request
was passed to the client.

Here some internas about my application:

My web application is handling authentication internally, meaning I don't
use an authentication realm in web.xml. A central Controller-Servlet (the
one and only servlet of the whole web application, viva MVC) decides when
a certain request requires authentication. When the requires credentials are
not already part of the request, the Controller-Servlet sends the following
as response using the Servlet-API:

response.setHeader("WWW-Authenticate","Basic realm=\"MySystem\"");
response.sendError(401,"unauthorized");

Note: response is the HttpServletResponse-Object.

When no error-page for error 401 is defined in web.xml that works properly.

Here my questions:
Can I configure tomcat properly without changing its code to send another
authentication required-page instead of the defaut error-content?


Thank you in advance,

Oliver Schönwald
Germany

Reply via email to