Thanks for your response. I was hoping it wasn't a bug in 3.2.3, but rather a configuration problem, or that a workaround existed. :*) Does this bug exist in 3.3.1?
I've been reluctant to upgrade to Tomcat 4 due to potential installation and compatibility issues with Apache 1.3.X, mod_jk.so, on both Solaris 2.6 and 2.8. Is this combination a clean upgrade on both OS's? > -----Original Message----- > From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 16, 2002 10:30 AM > To: Tomcat Users List > Subject: Re: getRemoteUser() reset to null after > authenticated user hits > an unauthorized page > > > > > On Fri, 16 Aug 2002, Scott Dayberry wrote: > > > Date: Fri, 16 Aug 2002 09:31:38 -0600 > > From: Scott Dayberry <[EMAIL PROTECTED]> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: getRemoteUser() reset to null after authenticated > user hits an > > unauthorized page > > > > I am using form-based authentication under Tomcat 3.2.3. > > > > I have 3 security-constraint sections in web.xml for 3 > different user roles. > > If an already authenticated user selects a page to which he is not > > authorized, he is redirected to the form-error-page (I > thought this should > > be a 403-Forbidden error instead), and his authentication > is invalidated. > > (A getRemoteUser() call returning null at this point verifies this). > > > > The implication of this, is that he can no longer select > any pages that he > > IS authorized for, and must re-login. Is this a known bug > with Tomcat 3.2.3, > > expected behavior, or is there a configuration setting I am missing? > > > > Sounds like a bug in 3.2.3 (which is pretty ancient, by the > way). I think > 3.2.3 also failed to return getRemoteUser() correctly when you > successfully log on, and then navigate to a URL not protected by a > security constraint. Tomcat 4.0 and 4.1 handle that > situation correctly. > > > Thanks in advance, > > Scott > > > > Craig > > > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>