java ee http-basic authentication error page

Question

Using the Form-Based authentication in Java EE to secure a web application, we can specify a login and and error html page. http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html

Example:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>file</realm-name>
    <form-login-config>
        <form-login-page>/logon.jsp</form-login-page>
        <form-error-page>/logonError.jsp</form-error-page>
    </form-login-config>
</login-config>

Using the HTTP Basic authentication, we cannot specify a login page because it is the responsability of the client web browser to get the login/pwd of the user (typically using a pop-up).

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

However, we would still need to specify an error page. Is that possible? how? that is, using HTTP-Basic authentication (and Java EE), we would need to show a specific error page if the login/pwd provided are incorrect (as in the Form-based authentication).

Answer 1

No, In BASIC authenitcation you can't configure loginpage/errorpage. This is how different authentication works:

FORM Login:

• Client makes request to secured page /application/securedpag
• Server sends 200 Status code along with login.jsp configured in login-config
• Client fills j_username and j_password and submits to j_security_check servlet
• Servlet j_security_check is invoked on the server side, which validate j_username and j_password. If authenication is successful, the request is forwarded/redirected to the secured page. If the authentication fails, the error page is sent (which is configured in login-config).

BASIC Login:

• Client makes request to secured page /application/securedpage

• Server send 401 status code asking the client to send Authorization header with value containing Base64 encoded username and passowrd.

• Browser will show pop-up asking username and password.

• Browser will again make request to secured page /application/securedpage along with Authorization header with value containing Base64 encoded username and passowrd

• If authenication is successful, the request is forwarded/redirected to the secured page. If the authentication fails, again the challange i.e, 401 status code` is sent to the browser.

• Browser will again show the popup asking username and password.

  BASIC Login flow clearly shows that there is no where the response body is sent. Sever sends only 401 status code for asking credentials for both first time or in case of authentication failure.

Answer 2

The HTTP basic authentication error page is a HTTP 401 error which defaults to the servletcontainer's own HTTP 401 error page. Just specify a custom HTTP 401 error page in web.xml.

<error-page>
    <error-code>401</error-code>
    <location>/loginError.jsp</location>
</error-page>

Answer 3

I found the two examples here to be very helpful: https://svn.java.net/svn/javaeetutorial~svn/trunk/examples/security/hello2_basicauth/ and https://svn.java.net/svn/javaeetutorial~svn/trunk/examples/security/hello1_formauth/ . (You can check out all Java EE 6 examples via Where can I download Java EE 6 Tutorial Examples?) They demonstrate the two approaches you're asking about. Tip: For a newbie to security like me, I found https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ to be extremely helpful at sniffing around.