Apache: how to set custom 401 error page and save original behaviour

apache-2.2 httpd kerberos custom-errors http-error-401.2

9,146

Solution 1

Firstly, when I used

ErrorDocument 401 /pages/401

/pages/401 was dynamic backend-generated content. When I've created simple static 401.html and have setted

ErrorDocument 401 /401.html

whole system started work properly. So the solution is: don't use dynamic pages for displaying 401 error, use static html.

Solution 2

The behavior you're describing is client side and has nothing to do with Apache, per se.

Here's what actually happens:

Browser sends request
Web server responds with 401
Browser prompts user for credentials
Browser re-sends request with credentials

If access is granted Apache responds with 200, if access is not granted then it goes back to step 2 and continues. Its up to the User-Agent (i.e., your browser) how many times it will try. Your browser apparently stops at 3 tries. After that it keeps the result cached and just shows you the error page.

Browsers often cache results of these type of operations so this is normal. Did you quit your browser before trying again? That should clear the cached result.

If you want to see exactly the way Apache is behaving "in the raw", use the following:

Unauthenticated request:

curl -D - http://yourserver/page.html

Authenticated* request:

curl -u user:pass -D - http://yourserver/page.html

You will see the headers at the very top of the output for how Apache responds to authenticated vs unauthenticated requests. You should always see a 401 for unauth and 200 for auth. If that is not the case then it's either not configured right or there's something else going on.

*curl can do kerberos authentication by passing --negotiate but I've never done it and don't have a valid test environment to try in. Read the curl(1) manual for more information.

9,146

petRUShka

Updated on September 18, 2022

Comments

petRUShka almost 2 years
I have Kerberos-based authentication with Apache/2.2.3 (Linux/SUSE). When user is trying to open some url, browser ask him about domain login and password like in HTTP Basic Auth. If user cancel such request 3 times Apache returns 401 Authorization Required error page. My current virtual host config is
```
    <Directory /home/user/www/current/public/>
            Options -MultiViews +FollowSymLinks
            AllowOverride None
            Order allow,deny
            Allow from all
            AuthType Kerberos
            AuthName "Domain login"
            KrbAuthRealms DOMAIN.COM
            KrbMethodK5Passwd On
            Krb5KeyTab /etc/httpd/httpd.keytab
            require valid-user
    </Directory>
```
I want to set nice custom 401 error page with some instructions for users. And I added such line in virtual host config:
```
 ErrorDocument 401 /pages/401
```
It works, when user can't authorize apache redirects him to my nice page. But Apache doesn't ask user login\password as it did before. I want this functionality and nice error page simultaneously!

Is it possible to make it works properly?
petRUShka almost 12 years

It isn't only browser behavior. For example if i set KrbMethodK5Passwd Off browser never ask user about login\password. In this case 401 error page will be showed. My question is: is it possible to save default behavior and show my custom 401 error page instead of ugly and non-informative Apache default 401 error page?
ardavis over 8 years

This worked very well for me.