[ https://issues.jboss.org/browse/SECURITY-722?page=com.atlassian.jira.plug... ] Sean Flanigan commented on SECURITY-722: ---------------------------------------- This happened to us too. The problem is three-fold: 1. If httpd.conf has ProxyErrorOverride On, the 401 login form will be replaced with a custom error page. 2. org.jboss.security.negotiation.NegotiationAuthenticator apparently doesn't set a contentType for the 401 Response. 3. Apache httpd sees that the response has no Content-Type, and adds a Content-Type header using the DefaultType, which defaults to "text/plain". See http://httpd.apache.org/docs/2.2/mod/core.html#defaulttype So the workaround is to edit /etc/httpd/conf/httpd.conf, remove "ProxyErrorOverride On" and set "DefaultType none" instead of "DefaultType text/plain". Another option (instead of changing DefaultType) would be to override the method {{org.jboss.security.negotiation.NegotiationAuthenticator.authenticate()}} so that contentType is set to "text/html", and to activate it as a valve in jboss-web.xml: {{<valve><class-name>com.example.CustomNegotiationAuthenticator</class-name></valve>}} But it would be better to change org.jboss.security.negotiation.NegotiationAuthenticator.authenticate() so that it sets contentType on the Response itself. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira