when trying to use a custom error page for my webapp with BASIC auth, i get no name/pass challenge, i'm fowarded straight to the 401 error page in my web.xml i have <snippet> <error-page> <error-code>401</error-code> <location>/error/401.html</location> </error-page> <snip>....</snip> <security-constraint> <web-resource-collection> <web-resource-name>MyApplication</web-resource-name> <url-pattern>/admin/*</url-pattern> <url-pattern>/servlet/com.myapp.admin.*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>myappadmin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>MyApplication Realm</realm-name> </login-config> <security-role> <role-name>myappadmin</role-name> </security-role> </snippet>
The following works in Tomcat 4.1.24: Convert your error page to a jsp and add the following to the top of the file: <% String realmName = "xxx; // Specify the realm name from web.xml response.setHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\""); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); %>
The 401 response is actually part of the BASIC authentication process (see RFC 2616 for full details) as well as the response when BASIC authentication fails. This specification of an error page for 401 interfers with this dual use. 401 should perhaps be a special case but the servlet spec does not treat it as such. The work-around described above (or something that achieves the same thing) is the way to go if you want a custom error page for a 401. Strictly this bug report is INVALID as tomcat is doing what the spec says it should.
*** Bug 13430 has been marked as a duplicate of this bug. ***