Thank you for your answer David. My conclusion would be to move my
protected resources to a separate folder and adjust my web.xml accordingly.
Of course you were absolutely right about the 403 status. My Firefox had an
existing but not authorised user stored and I kept testing with that one.
And instead of a link from the error.html back to the login.html, I would
either add a login form to the error page or link to a page that needs
authentication and causes Tomcat to return the login form again, wouldn't I?
I think I understand that now, thanks!
Marcel
At 16:29 22.01.2007 +0100, you wrote:
I see several potential problems as a side note before the core problem...
First, you map your security constraint to /*, that mean *nothing* in
your webapp will be accessible prior to login, this includes pictures, css.
Second, be aware to never access directly login.html, it should be
tomcat that send the content of login.html to user upon needing
authentification. To make your test, for example, direct your browser to
/index.html (yes authentifcication take place even if file does not
exist :p). Take this into account when adding a 'link' to login form in
your error document
Now, core of problem. Tomcat sends an error 403 header along with the
content of your error page. This happens when your credentials have been
accepted, your are authenticated, but your don't have the required
access right. (common example you are a 'user' but not an 'admin', you
try to access the admin panel, tomcat will refuse you, but not present
you the authentification form because you are already identified)
En l'instant précis du 01/22/07 16:11, Marcel Frehner s'exprimait en ces
termes:
> I'm trying to set up form-based authentication in a JSF Application on
> Tomcat 5.5.4. I've got a login page, a welcome page and an error page.
> On entering the right username and password I get redirected to
> welcome.jsp. On entering the wrong credentials IE displays my custom
> error.html with a link back to login.html where I can try with the
> right password again. So far so good.
>
> Firefox 2.0, however, displays "HTTP Status 403 - Access to the
> requested resource has been denied" if the wrong credentials are
> entered. I can't get back to the login page anymore, even with the
> back button in the browser. Logging in with the correct credentials
> works as expected.
>
> I understand that Tomcat forwards control to the error page configured
> in web.xml if authentication fails. I can't see any browser dependency
> here. Or does it do a redirect, i.e. go back to the browser first?
>
> When setting up the application I followed Sun's Java 5 EE Tutorial
> (Chapter 30: Securing Web Applications) leaving out the mapping of
> roles to user groups as I haven't got any server groups.
>
> The settings in the Tomcat admin application, which works fine, seem
> to be equivalent to mine although hard to compare as it is Struts and
> mine is JSF.
>
> I've got an index.jsp file which takes me into the faces context.
> Could that cause problems?
>
> Help is appreciated very much.
> Marcel
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app id="WebApp_ID" version="2.4"
> xmlns="http://java.sun.com/xml/ns/j2ee";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
> <display-name>sec24</display-name>
> <servlet>
> <servlet-name>Faces Servlet</servlet-name>
> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> <security-role-ref>
> <role-name>loginUser</role-name>
> <role-link>loginUser</role-link>
> </security-role-ref>
> </servlet>
> <servlet-mapping>
> <servlet-name>Faces Servlet</servlet-name>
> <url-pattern>*.faces</url-pattern>
> </servlet-mapping>
> <welcome-file-list>
> <welcome-file>index.jsp</welcome-file>
> </welcome-file-list>
> <security-constraint>
> <display-name>SecurityConstraint</display-name>
> <web-resource-collection>
> <web-resource-name>WRCollection</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>loginUser</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>security</realm-name>
> <form-login-config>
> <form-login-page>/login.html</form-login-page>
> <form-error-page>/error.html</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>loginUser</role-name>
> </security-role>
> </web-app>
>
>
>
>
> --
> dipl. geogr. Marcel Frehner
> Wissenschaftlicher Mitarbeiter
> Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
> Abteilung Landschaftsinventuren
> Zürcherstrasse 111
> 8903 Birmensdorf
>
> Tel. +41-44-739 26 83
> [EMAIL PROTECTED]
> http://www.wsl.ch
>
> ----------------------------
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
dipl. geogr. Marcel Frehner
Wissenschaftlicher Mitarbeiter
Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
Abteilung Landschaftsinventuren
Zürcherstrasse 111
8903 Birmensdorf
Tel. +41-44-739 26 83
[EMAIL PROTECTED]
http://www.wsl.ch
----------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
