authenticated but not authorized -- blank page

Fri, 02 May 2008 08:56:11 -0700

I have a webapp 'guest', with two subfolders 'guest1' and 'guest2'. These are protected by security constraints. 

/guest/guest1 has a security constraint requiring role 'guest1'
/guest/guest2 has a security constraint requiring role 'guest2'
Users 'guest1' and 'guest2' map to roles of the same names, and each user has its own distinct password.
1. User 'guest1' logs in successfully and is able to view /guest/ guest1/*
2. Now user guest1 tries to access /guest/guest2. Since s/he is not authorized to access this area, one can expect a failure.
PROBLEM: the server returns a 404 error when 'guest1' accesses a non- authorized area (/guest/guest2). This results in a blank page in the browser-very confusing. In this case I don't really care, but I have other more important situations coming.
QUESTION: shouldn't some kind of "not authorized" error be returned by Tomcat? A 404 error is very confusing for the user. 

The web.xml configuration is shown below.


   <servlet-mapping>
       <servlet-name>guest</servlet-name>
       <url-pattern>/*</url-pattern>
   </servlet-mapping>

<!-- Define reference to the user database for looking up roles -->
  <resource-env-ref>
    <description>blah blah blah</description>
    <resource-env-ref-name>users</resource-env-ref-name>
<resource-env-ref-type>org.apache.catalina.UserDatabase</resource- env-ref-type> 
  </resource-env-ref>

  <!-- Define a Security Constraint on this Application -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Guest 1 access</web-resource-name>
      <url-pattern>/_guest1_/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>guest1</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Guest 2 access</web-resource-name>
      <url-pattern>/_guest2_/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>guest2</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- Define the Login Configuration for this Application -->
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Guest Realm</realm-name>
  </login-config>

  <!-- Security roles referenced by this web application -->
  <security-role>
    <role-name>guest1</role-name>
    <role-name>guest2</role-name>
  </security-role>


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]

Reply via email to