I actually have my role names defined within EACH constraint. -----Original Message----- From: DIGLLOYD INC [mailto:[EMAIL PROTECTED] Sent: Friday, May 02, 2008 10:56 AM To: Tomcat List Users Subject: authenticated but not authorized -- blank page
I have a webapp 'guest', with two subfolders 'guest1' and 'guest2'. These are protected by security constraints. /guest/guest1 has a security constraint requiring role 'guest1' /guest/guest2 has a security constraint requiring role 'guest2' Users 'guest1' and 'guest2' map to roles of the same names, and each user has its own distinct password. 1. User 'guest1' logs in successfully and is able to view /guest/ guest1/* 2. Now user guest1 tries to access /guest/guest2. Since s/he is not authorized to access this area, one can expect a failure. PROBLEM: the server returns a 404 error when 'guest1' accesses a non- authorized area (/guest/guest2). This results in a blank page in the browser-very confusing. In this case I don't really care, but I have other more important situations coming. QUESTION: shouldn't some kind of "not authorized" error be returned by Tomcat? A 404 error is very confusing for the user. The web.xml configuration is shown below. <servlet-mapping> <servlet-name>guest</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <!-- Define reference to the user database for looking up roles --> <resource-env-ref> <description>blah blah blah</description> <resource-env-ref-name>users</resource-env-ref-name> <resource-env-ref-type>org.apache.catalina.UserDatabase</resource- env-ref-type> </resource-env-ref> <!-- Define a Security Constraint on this Application --> <security-constraint> <web-resource-collection> <web-resource-name>Guest 1 access</web-resource-name> <url-pattern>/_guest1_/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>guest1</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Guest 2 access</web-resource-name> <url-pattern>/_guest2_/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>guest2</role-name> </auth-constraint> </security-constraint> <!-- Define the Login Configuration for this Application --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Guest Realm</realm-name> </login-config> <!-- Security roles referenced by this web application --> <security-role> <role-name>guest1</role-name> <role-name>guest2</role-name> </security-role> Lloyd Chambers http://diglloyd.com [Mac OS X 10.5.2 Intel, Tomcat 6.0.16] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]