HTTP Basic Authentication: Tomcat vs Jetty

0
votes

I'm using a (simple) basic authentication within my servlet which works well for the Jetty 7.6 server but with Tomcat 6.0.35 I'm getting an error while trying to send the unauthorized response to show the username/password form in browser:

java.lang.IllegalStateException
org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:421)

The code in my servlet looks like this:

response.setHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\"");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);

The error occurs on line two of the code sample. I'm not using the <security-constraint> in the web.xml. It should be a very, very simple authentication.

Any idea why Tomcat is not working but Jetty does?

1
javatomcatjettybasic-authentication
What do you do after and before response.sendError? Do you write something to the servlet outputstream? Please post any code related with your response management. - Guido
No, there is nothing written to the response before or after that two lines. I'm confused why it works in Jetty but not in Tomcat. Thx. - Christof Aenderl
@chrise What about any filters that may be running before your servlet? Can you post the full stack trace? - Christopher Schultz
@Christopher Schultz: Thanks for the hint. Seams the response was commited before the response.sendError call. Tomcat is checking this but Jetty not. I'm looking for the whole stack trace. - Christof Aenderl
My misstake, I called the method which set the response error twice so the reponse was, of course, commited and the second call raised the exception. Jetty doesn't care about that programmer failure. Because there will be no usefull answer to this question, I will delete it. Thanks for the hints, you all were on the right way. - Christof Aenderl

1 Answers

0
votes

Ensure:

  1. You do not have any filters that are producing output before your servlet runs
  2. You are only calling response.setStatus/response.sendError one time during the request
  3. You aren't flushing the response buffer

Any of the above can commit the response before you were expecting it.