TitleBinary Attachment Download fails with IE 6.0 when Container Managed Authentication is activated.
Date09-May-2006 18:03:48 EEST
Version2.2.33
SubmitterChristoph Sauer
Bug criticalityBadBug
Browser versionIE Version 6.0.29xxx, Updateversion SP2
Bug statusClosedBug
PageProvider usedVersioningFileProvider
Servlet Container5.0.28 and 5.5.17
Operating SystemWindows XP
URLhttp://wiki.swl.hs-heilbronn.de/demo/attach/Main/jwhich.zip login = demouser/demouser
Java version1.5.xx

Solution#

This bug is the same as BugSSLAndIENoCacheBug. Solution is described there. Thanks Janne for the hint. --ChristophSauer 11-Sep-06

Descritpion#

I'am using 2.2.33 and Container Managed Security. I added the

<url-pattern>/attach/*</url-pattern> 
to the web.xml to secure download of attachments

heres the full mapping (stripped down to the essential stuff):

      <web-resource-collection>
           <web-resource-name>Restricted Download Area</web-resource-name>
           <url-pattern>/attach/*</url-pattern>
           <http-method>GET</http-method>
       </web-resource-collection>

       <auth-constraint>
           <role-name>admin</role-name>
       </auth-constraint>

Now if i try to download attachments with IE the download fails: After entering the login the download dialog for the given attachment opens, but then a message saying that it could not locate the file shows up.

ie_sucks.png Screenshot saying something like "can't download file, try later".

With firefox and opera it works fine.

I tried to download an attached zip file. Inlined downloads like Images work with IE, it seems that only binary attachments do not work.

I am not using SSL. Authentication is Basic.

With latest IE on Mac download works, so don't bother to try it on your shiny PowerBooks ;)

As soon as i remove the url-pattern download works again in IE.

If i put the url pattern like in the example in the web.xml of 2.2.33 it does not authenticate at all:

<url-pattern>/attach</url-pattern> <!-- doesn't work -->

I've traced AttachmentServlet and it runs through without any exception. I have no clue what went wrong with IE. Is there a way to activate some kind of debugging mode on the client side for IE that shows me what went wrong?

I have Wikis running with 2.0.52 that work well with that authentication setting, so it seems that somewhere along the way the bug came in.

I tried to reproduce it with the latest 2.4.5-cvs (i set the jspwiki.security property to container like described in http://www.nabble.com/Turning-OFF-security--t1573022.html and added my security constraints. ), but then i was not even asked for a login and acces was denied, showing me an error page as if the property didn't work.


Hmm... If you're not using SSL, then why does the URL you give above start with "https://"?

Just a thought - could be that IE needs SSL.

--Janne Jalkanen, 10-May-2006


I tested it locally. OK, removed the user-data-constraint CONFIDENTIAL from the setup above, still does not work.

--Christoph Sauer, 10-May-2006


Does this occur with 2.4 line?

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
ie_sucks.png 44.1 kB 1 09-May-2006 18:41 Christoph Sauer
« This page (revision-9) was last changed on 11-Sep-2006 11:03 by ChristophSauer