I have a webapp 'guest', with two subfolders 'guest1' and 'guest2'.
These are protected by security constraints.
/guest/guest1 has a security constraint requiring role 'guest1'
/guest/guest2 has a security constraint requiring role 'guest2'
Users 'guest1' and 'guest2' map to roles of the same names, and each
user has its own distinct password.
1. User 'guest1' logs in successfully and is able to view /guest/
guest1/*
2. Now user guest1 tries to access /guest/guest2. Since s/he is not
authorized to access this area, one can expect a failure.
PROBLEM: the server returns a 404 error when 'guest1' accesses a non-
authorized area (/guest/guest2). This results in a blank page in the
browser-very confusing. In this case I don't really care, but I have
other more important situations coming.
QUESTION: shouldn't some kind of "not authorized" error be returned by
Tomcat? A 404 error is very confusing for the user.
The web.xml configuration is shown below.
<servlet-mapping>
<servlet-name>guest</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<!-- Define reference to the user database for looking up roles -->
<resource-env-ref>
<description>blah blah blah</description>
<resource-env-ref-name>users</resource-env-ref-name>
<resource-env-ref-type>org.apache.catalina.UserDatabase</resource-
env-ref-type>
</resource-env-ref>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Guest 1 access</web-resource-name>
<url-pattern>/_guest1_/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>guest1</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Guest 2 access</web-resource-name>
<url-pattern>/_guest2_/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>guest2</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Guest Realm</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>guest1</role-name>
<role-name>guest2</role-name>
</security-role>
Lloyd Chambers
http://diglloyd.com
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]