Ops... Ur right This is the same behvour with all application provided with tomcat, too... I never noticed, I alway thought that having the wrong role would have been as having a wrong password.
Simone ------------------------- Simone Chiaretta www.piyosailing.com/S Any sufficiently advanced technology is indistinguishable from magic "Life is short, play hard" > -----Messaggio originale----- > Da: Tim Funk [mailto:[EMAIL PROTECTED] > Inviato: giovedì 25 marzo 2004 15.08 > A: Tomcat Users List > Oggetto: Re: Problem using form login auth > > > What's there to solve? 403 is the HTTP response for not > authorized. There is > a large difference between authenticated and authorized. > > You can set up a customized 403 error page for catching > unauthorized requests > (using web.xml) > > > > -Tim > > Simone - Dev wrote: > > > Hello All, > > I've a strange problem using the form login coupled with JDBCRealm. > > > > This the web.xml I'm using > > > > <web-app> > > <security-constraint> > > <display-name>Example Security Constraint</display-name> > > <web-resource-collection> > > <web-resource-name>Protected Area</web-resource-name> > > <url-pattern>/protected/*</url-pattern> > > <http-method>DELETE</http-method> > > <http-method>GET</http-method> > > <http-method>POST</http-method> > > <http-method>PUT</http-method> > > </web-resource-collection> > > <auth-constraint> > > <role-name>manager</role-name> > > </auth-constraint> > > </security-constraint> > > > > > > <!-- Default login configuration uses form-based > authentication --> > > <login-config> > > <auth-method>FORM</auth-method> > > <realm-name>Example Form-Based Authentication > Area</realm-name> > > <form-login-config> > > <form-login-page>/login.jsp</form-login-page> > > <form-error-page>/error.jsp</form-error-page> > > </form-login-config> > > </login-config> > > > > > > > > <security-role> > > <description>An administrator</description> > > <role-name>manager</role-name> > > </security-role> > > </web-app> > > > > > > The strange behaveur is that if I logon using a completely > wrong user > > (either user or password invalid) I get redirected to the error.jsp > > page but if I type in a user that has not the "manager" role I get > > redirected to the originally requested page > (/protected/index.jsp) but > > then get a 403 error (Access denied) > > > > Can't get to solve this... > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]