> What bugs me is that, if you enter a valid username/password
> combination,
> tomcat gives no indication that they're valid... it behaves
> as though the
> name/password are invalid. I would have expected that it
> would come up with
> a page that said that I didn't have the appropriate rights
> for that webapp
> or something. Oh well....
This would be a security risk. It would in effect tell a
malicious party "You have found a working username/password
combination for this site, but not this web app".
The would-be cracker could then go around trying various logins
on your site -- not unlike someone having found a key to a building
but not knowing which lock it fits.
It's always better to just give a generic "Authorization Failed"
message no matter what the reason.
s
