I've found some behavior that seems wrong - can someone confirm that it is correct or a known bug?
Specifically, using FORM login (with memory- or jdbc Realm), if I try to log into a protected area with a user and password that exist, but don't have the correct role to access the area, I get a 403: " Apache Tomcat/4.0.1 - HTTP Status 403 - Access to the requested resource has been denied ------------------------------------------------------------------------------ type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. " Then, after that failure, when I try to login with a user with the correct role, I get a 404: " Apache Tomcat/4.0.1 - HTTP Status 404 - /jsp/security/j_security_check -------------------------------------------------------------------------------- type Status report message /jsp/security/j_security_check description The requested resource (/jsp/security/j_security_check) is not available. " In both of these cases, I had hoped to get the error page I had specified in <form-error-page>, which I do get if I try to login with a user that does not exist. Is this the correct behavior? It seems that if I try to login with a user with the wrong role it 'breaks' the login for further attempts with a user with the correct role. Any insight would be greatly appriciated. thanks, Chris -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>