Home / server / Questions / 404483
Accepted
petRUShka
Asked: 2012-07-04 09:55:02 +0800 CST

Apache: how to set custom 401 error page and save original behaviour

  • 772

I have Kerberos-based authentication with Apache/2.2.3 (Linux/SUSE). When user is trying to open some url, browser ask him about domain login and password like in HTTP Basic Auth. If user cancel such request 3 times Apache returns 401 Authorization Required error page. My current virtual host config is

    <Directory /home/user/www/current/public/>
            Options -MultiViews +FollowSymLinks
            AllowOverride None
            Order allow,deny
            Allow from all
            AuthType Kerberos
            AuthName "Domain login"
            KrbAuthRealms DOMAIN.COM
            KrbMethodK5Passwd On
            Krb5KeyTab /etc/httpd/httpd.keytab
            require valid-user
    </Directory>

I want to set nice custom 401 error page with some instructions for users. And I added such line in virtual host config:

 ErrorDocument 401 /pages/401

It works, when user can't authorize apache redirects him to my nice page. But Apache doesn't ask user login\password as it did before. I want this functionality and nice error page simultaneously!

Is it possible to make it works properly?

apache-2.2 httpd kerberos custom-errors http-error-401.2

2 Answers

  1. Best Answer

    Firstly, when I used 

    ErrorDocument 401 /pages/401

    /pages/401 was dynamic backend-generated content. When I've created simple static 401.html and have setted

    ErrorDocument 401 /401.html

    whole system started work properly. So the solution is: don't use dynamic pages for displaying 401 error, use static html.

    • 3

  2. The behavior you're describing is client side and has nothing to do with Apache, per se.

    Here's what actually happens:

    1. Browser sends request
    2. Web server responds with 401
    3. Browser prompts user for credentials
    4. Browser re-sends request with credentials

    If access is granted Apache responds with 200, if access is not granted then it goes back to step 2 and continues. Its up to the User-Agent (i.e., your browser) how many times it will try. Your browser apparently stops at 3 tries. After that it keeps the result cached and just shows you the error page.

    Browsers often cache results of these type of operations so this is normal. Did you quit your browser before trying again? That should clear the cached result.

    If you want to see exactly the way Apache is behaving "in the raw", use the following:

    Unauthenticated request:

    curl -D - http://yourserver/page.html

    Authenticated* request:

    curl -u user:pass -D - http://yourserver/page.html

    You will see the headers at the very top of the output for how Apache responds to authenticated vs unauthenticated requests. You should always see a 401 for unauth and 200 for auth. If that is not the case then it's either not configured right or there's something else going on.

    *curl can do kerberos authentication by passing --negotiate but I've never done it and don't have a valid test environment to try in. Read the curl(1) manual for more information.

    • 1