tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Harrop <jhar...@bigpond.net.au>
Subject [TC4] Bug? Authentication problem with HTTP 1.1 client (MSIE)
Date Thu, 01 Mar 2001 15:11:43 GMT
Hi

I'm using TC4 built from CVS on 17 Feb, and I'm scratching my head about 
a strange problem when i try and access 2 webapps which have the same 
realm name in their web.xml file, as in:

   <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>myRealm</realm-name>

If I visit these webapps using a HTTP 1.0 client (eg NS 4.7, or IE 5 or 
5.5 with "Use HTTP 1.1" deselected), i get the expected sequence of a 
401 error, at which point the browser presents the authentication 
dialog; then on subsequent protected pages, the browser responds to the 
401 error with authentication information without involving the users.

If I visit these webapps using either IE 5 or 5.5 in their default HTTP 
1.1 enabled mode, then what happens is this:

For IE 5.5, when i visit the first page, i am asked to authenticate. 
Then, when i visit the second page (on my setup, this is in a second 
webapp, but with the same realm-name), i am presented with a blank 
screen.  The tomcat logs show the 401 response, but they DO NOT show a 
subsequent request in which the authentication information is provided 
by the browser.

HOWEVER, according to my packet sniffer, that request _is_ being sent, 
however Tomcat never responds to it:

  G E  T     / T  e s t D  r i  v e  / p  r o  t e  c t  e d / s  h o  w 
H  o m  e D  i r  e c  t o r y    H  T T  P /  1 .  1

  H T  T P  / 1  . 1   4  0 1    U  n a  u t  h o  r i  z e  d
  W W  W -  A u  t h e n  t i  c a  t e  :    B a  s i  c    r e  a l  m 
=  " m  y R  e a  l m  "

  G E  T    / T  e s t D  r i  v e  / p  r o  t e  c t  e d / s  h o  w 
H  o m  e D  i r  e c  t o r y    H  T T  P /  1 .  1
  A u  t h  o r i z  a t  i o  n :    B  a s  i c    Z n J  l Z  D p  u 
Z  X J  r

  [Tomcat sends the page]

  G E  T    / S  m a r t  P r  e c  e d  e n  t S  e r  v e
			  r /  a s  k I  n t  e r  v i  e w  P r
			  e f  e r  e n  c e  s ?  I D  = %  2 F
			  f i  l e  s %  2 F  d e  m o  n s  t r
			  a t  i o  n %  2 F  T e  s t  2 S  A f
			  o r  R e  p o  s i  t o  r y  . x  m l
			  & r  e p  o s  i t  o r  y n  a m  e =
			  T e  s t  D r  i v  e    H T  T P  / 1
			  . 1

H T  T P  / 1  . 1  4  0 1    U  n a  u t  h o  r i  z e d
W W  W -  A u  t h e n  t i  c a  t e  :    B a  s i  c   r e  a l  m = 
  " m  y R  e a  l m  "

  G E  T    / S  m a r t  P r  e c  e d  e n  t S  e r  v e
			  r /  a s  k I  n t  e r  v i  e w  P r
			  e f  e r  e n  c e  s ?  I D  = %  2 F
			  f i  l e  s %  2 F  d e  m o  n s  t r
			  a t  i o  n %  2 F  T e  s t  2 S  A f
			  o r  R e  p o  s i  t o  r y  . x  m l
			  & r  e p  o s  i t  o r  y n  a m  e =
			  T e  s t  D r  i v  e    H T  T P  / 1
			  . 1

  A u  t h  o r  i z  a t  i o  n :    B a s  i c    Z  n J  l Z  D p  u 
Z  X J r

Clicking refresh successfully grabs the page for me, without me having 
to type any authentication info again. So i think this might a bug in 
Tomcat 4's HTTP 1.1 connector (since things are okay with a 1.0 client)?

With IE 5, the second time Tomcat sends a 401, IE asks me to 
authenticate, even though the WWW-Authenticate header is the same one it 
has seen before.  This looks to me like a bug in IE 5.

Any thoughts?  BTW, i'm not using the single sign on support valve.

thanks

Jason





Mime
View raw message