Skip to main content

401 Unauthorized response with WWW-Authenticate: Negotiate

5 replies [Last post]
suchet
Offline
Joined: 2010-05-11

Is there an option in glassfish to allow web application to send their own response code from, preserve the header, but use the virtual server's configured default html page for the response code?

I'm running Glassfish V2.1.1. We have OpenSSO deployed and are supporting GSSAPI authentication with the WDSSO module. The authentication provider in OpenSSO sends a 401 WWW-Authenticate: Negotiate header back to the client. The client negotiates with the KDC authentication service to get a ticket for the service then the ticket back via headers to the opensso server.

I'm trying to setup a custom 401 unauthorized HTML page that will redirect the browser to an LDAP/Password module for OpenSSO in case the client doesn't support GSSAPI authentication.
I have this setup in the container we are currently running Access Manager (predecessor to OpenSSO) and it works splendidly.

Glassfish appears to override all 401 unauthorized headers (set by OpenSSO) and removes the WWW-Authenticate: Negotiate header and will only send the custom HTML response for any request to the WDSSO module.

I've run the following on the system to
asadmin set \
server.http-service.virtual-server.server.property.send-error_1=\
"path=../docroot/errors/401.html reason=Not_authorized code=401"

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
swchan2
Offline
Joined: 2005-03-29

You are correct. GlassFish will not generate the WWW-Authenticate for the error page.
I have not used openSSO for a while. In the past, the openSSO will redirect the user to login page.
It is not correct to use the error page to authenticate users.

suchet
Offline
Joined: 2010-05-11

OpenSSO is doing its job great, when I try to have glassfish override the 401 code with an html page, glassfish is breaking opensso.

Without my custom 401 unauthorized page I can send a request and get this response:
GET /opensso/UI/Login?module=wdsso HTTP/1.0

HTTP/1.1 401 Unauthorized
X-Powered-By: Servlet/2.5
Server: Sun GlassFish Enterprise Server v2.1
Cache-Control: private
Pragma: no-cache
Expires: 0
X-DSAMEVersion: Express Build 8(2009-September-1 11:08)
AM_CLIENT_TYPE: genericHTML
Set-Cookie: AMAuthCookie=AQIC5snip==#; Domain=opensso-dev.tcpip.com; Path=/; Secure
Set-Cookie: amlbcookie=03; Domain=opensso-dev.tcpip.com; Path=/; Secure
WWW-Authenticate: Negotiate
Content-Type: text/html
Content-Language:
Content-Length: 1020
Date: Wed, 12 May 2010 03:08:13 GMT
Connection: close

Sun GlassFish Enterprise Server v2.1 - Error report