Java servlet redirect with status 401 issue

Question

I am having issue with Redirect in Java servlet. I want to use Status 401 ( Not authenticated ) instead of 302.

Let say that I have a protected resource with Url is "/protected". This Url mapped to ProtectedServlet. In doGet of ProtectedServlet, I will check whether the request is authenticated OR not, If not, the servlet will redirect the request to Login page. Here is my code:

ProtectedServlet.java

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {

    boolean isAuth = this.checkAuth();

    if (isAuth == false) {

        // WAY1
        resp.setStatus(401);
        resp.sendRedirect(resp.encodeRedirectURL(loginUrl));

        // WAY2
        resp.setStatus(401);
        resp.setHeader("Location", resp.encodeRedirectURL(loginUrl));
    }
}

RESULT

1. If I used "WAY1", when I request "/protected", I will see LOGIN page but return Status is 302, NOT 401 as I expected.

2. If WAY2 used: When I request "/protected", I WILL NOT see Login page. I see EMPTY page return with NO status.

Anyone know what I am wrong? Thanks.

Answer 1

The HTTP protocol is well defined. The client sends an HTTP request and the server sends them back an HTTP response.

The HTTP response can only have one status code. You can see your options here. In other words, you can't do a redirect by sending a 401. You could put a Location header in your 401 response but you would have to tell your client what to do with it because it isn't standard.

Instead of redirecting, if your user is not authenticated return a 401 and render the same Login page HTML, ie. do a RequestDispatcher#forward(..) to the login jsp.