Hi, apologies as this is a bit of a cross-post from tomcat-user last week (was
getting no responses from there). I need to work out what's going on re: roles
and login.
I'm observing some unexpected behaviour in Tomcat (3.2.1) in conjuction with
roles. This is the situation: (web.xml is at the bottom)
two roles:
Customer
Gold Customer
a user:
Joe Bloggs
Joe is a "Customer" but not a "Gold Customer"
This is what I observe:
1) new browser (not logged in) browse to /control/CustomerSecurePage
2) browser is redirected to /login.jsp
3) Joe logs in and is redirected to /control/CustomerSecurePage
4) browse to /control/GoldSecurePage
5) browser redirected to /control/loginerror
6) Joe is now logged out, any subsequent attempts to browse to a page secured by
the "customer" role results in a redirection to the login page.
Is this correct behaviour? I would have expected an attempt to access to the
gold url to have denied access but not to have logged the user out! Unless I
can resolve this I'm going to have to abandon using tomcat to manage access to
restricted content. This is not something I want to do. I've tried working
through the source but got lost.
Thanks in advance,
Nathan
this is the relevant section of web.xml:
****************************************************************
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureBit0</web-resource-name>
<description>no description</description>
<url-pattern>/control/GoldSecurePage</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>no description</description>
<role-name>gold</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureBit1</web-resource-name>
<description>no description</description>
<url-pattern>/control/CustomerSecurePage</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>no description</description>
<role-name>customer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>TheGiftStore</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/control/loginerror</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>the customer role</description>
<role-name>customer</role-name>
</security-role>
<security-role>
<description>the gold customer role</description>
<role-name>gold</role-name>
</security-role>
****************************************************************
