PQ59262: IE DOES NOT DISPLAY 401 ERROR MESSAGES CORRECTLY.

APAR status
Closed as program error.

Error description
I setup resource and secured it via IHS.  Regardless of the
setting of
"Show friendly HTTP error messages" in MS IE.  A comm trace at
the
adapter level shows that with EACH 401 Response, IHS includes an
HTML
formatted message (Content-Type text/html) with the following
content:
.
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <HTML><HEAD>
  <TITLE>401 Authorization Required</TITLE>
  </HEAD><BODY>
  <H1>Authorization Required</H1>
  This server could not verify that you are authorized to access
the
  document requested.  Either you supplied the wrong credentials
(e.g.,
  bad password), or your browser doesn't understand how to
supply the
  credentials required.
  </BODY></HTML>
.
When a resource is secured with WebSphere and a 401 Response is
sent,
there is no text/html message as part of the response.
.
What seems to happen is that after 3 failures, IE displays the
text
(message body) of the 401 Response message.  In the case of IHS,
it
displays the HTML document shown above.  In the case of
WebSphere, there
is no message to display - hence the blank screen.
.
I put together all my information (including a reference to
Microsoft's
Knowledge Base article, Q218155 where it is stated:
.
  "Internet Explorer 5 provides a replacement for the HTML
template for
  the following friendly error messages:
.
  400, 403, 404, 405, 406, 408, 409, 410, 500, 501, 505"
.
  >> (Note that 401 is NOT listed!) <<
.
and sent this to L3.  After speaking with Dennis R., he
suggested that
we should open an APAR since customer would like an EFix.  Kathy
R.
agreed to do this (since I will be outta here beginning next
week).
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users of        *
*                 WebSphere to secure web resources.           *
****************************************************************
* PROBLEM DESCRIPTION: If a browser user is challenged for     *
*                      an ID and password (via HTTP code 401)  *
*                      and the request is canceled then IE     *
*                      displays a blank page and Netscape      *
*                      responds "The document contained no     *
*                      data."                                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When most browsers receive a 401 they display the challenge
dialog (so the user may enter a name and password) while
displaying the previous HTML screen.  But it is valid for
that request to also contain an HTML body along with the
401 header.  It is that body that is displayed if the
request is canceled (dialog dismissed).  The WebSphere
security subsystem sends no body along with a security
challenge.
Problem conclusion
This is more so a new feature request than a defect.  I
changed the servlet engine to send the proper HTTP headers
(by invoking the WebSphere security subsystem) and then
send any user-defined 401 error page.
Temporary fix Comments
APAR information
APAR number PQ59262
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-03-20
Closed date 2002-03-20
Last modified date 2002-03-20

APAR is sysrouted FROM one or more of the following:
PQ56177

APAR is sysrouted TO one or more of the following:

Modules/Macros
ENGINE          

Fix information
Fixed component name WEBSPHERE AE AI
Fixed component ID 5630A2200

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ59262
IBM Group: Software Group
Modified date: Mar 20, 2002