users@glassfish.java.net

Re: 401 Unauthorized response with WWW-Authenticate: Negotiate

From: <glassfish_at_javadesktop.org>
Date: Tue, 11 May 2010 20:28:09 PDT

OpenSSO is doing its job great, when I try to have glassfish override the 401 code with an html page, glassfish is breaking opensso.

Without my custom 401 unauthorized page I can send a request and get this response:
GET /opensso/UI/Login?module=wdsso HTTP/1.0

HTTP/1.1 401 Unauthorized
X-Powered-By: Servlet/2.5
Server: Sun GlassFish Enterprise Server v2.1
Cache-Control: private
Pragma: no-cache
Expires: 0
X-DSAMEVersion: Express Build 8(2009-September-1 11:08)
AM_CLIENT_TYPE: genericHTML
Set-Cookie: AMAuthCookie=AQIC5snip==#; Domain=opensso-dev.tcpip.com; Path=/; Secure
Set-Cookie: amlbcookie=03; Domain=opensso-dev.tcpip.com; Path=/; Secure
WWW-Authenticate: Negotiate
Content-Type: text/html
Content-Language:
Content-Length: 1020
Date: Wed, 12 May 2010 03:08:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html><head><title>Sun GlassFish Enterprise Server v2.1 - Error report</title><style type="text/css"><snip default 401 error>

If I set the 401 code to use an html page, that displays a link to sign-on with module=DataStore so the client can sign-on using a password, the glassfish container clobbers the "WWW-Authenticate: Negotiate" header, and I can't get WDSSO to work.

asadmin set server.http-service.virtual-server.server.property.send-error_2="path=../docroot/errors/401.html reason=Unauthorized code=401"

and my request to the url for wdsso with response:
GET /opensso/UI/Login?module=wdsso HTTP/1.0

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=iso-8859-1
Content-Length: 2442
Date: Wed, 12 May 2010 03:15:59 GMT
Connection: close

<HTML>
<!--
begin/end my custom response page with link to data store module for clients that don't have GSSAPI capability. -->

see above? the www-authenticate header has been removed by glassfish, even though the OpenSSO Web app has added it in the response per the callback file.
[Message sent by forum member 'suchet']

http://forums.java.net/jive/thread.jspa?messageID=469477