After you login with a correct user, but the wrong role you have a application problem.
With Form based Auth the only way out is:
invalidate the session at your error page, or let do that the user.
With Basic, Digest the only way is that the user cancel the browser.
Regards Peter
Simone - Dev schrieb:
Hello All, I've a strange problem using the form login coupled with JDBCRealm.
This the web.xml I'm using
<web-app> <security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/protected/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>An administrator</description>
<role-name>manager</role-name>
</security-role>
</web-app>
The strange behaveur is that if I logon using a completely wrong user (either user or password invalid) I get redirected to the error.jsp page but if I type in a user that has not the "manager" role I get redirected to the originally requested page (/protected/index.jsp) but then get a 403 error (Access denied)
Can't get to solve this...
Thank you
Simone
------------------------- Simone Chiaretta <http://www.piyosailing.com/S> www.piyosailing.com/S Any sufficiently advanced technology is indistinguishable from magic "Life is short, play hard"
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
