SPNEGO Error 401 html message cannot be customized

Description

The SPNEGO logic leads CAS to send a 401 status with a WWW-Authenticate: Negotiate header to the client. Unfortunately, if the browser is Firefox and this browser is misconfigured (eg. network.negotiate-auth.trusted-uris preference does not refer to CAS server URL) the client remains stuck on tomcat's default error message.
This message should be customizable, but actually, modifying web.xml is not sufficient.

I've tested one modification in class org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction where sending 401 status code is done on line 82 by :

response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

replaced by :

try {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} catch (IOException e) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}

I got a half success :

  • If error page uses session : it fails with "cas unavailable"

  • If error page does not use session, the first call shows "cas unavailable", and next calls show the right error page.

I suspect nasty things between response.sendError() and context.getExternalContext().recordResponseComplete() calls.

Environment

debian squeeze, Java 1.6.0_34, Tomcat 7.0.29, Active Directory 2008R2 as authentication source (ldap + kerberos)

Status

Assignee

John Gasper

Reporter

Philippe Marasse

Labels

None

Estimated End Date

None

Audience

None

Components

Fix versions

Affects versions

3.5.0

Priority

Minor