Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa,
On 2/10/2010 8:36 AM, aaaaaa wrote:
When the user goes in a particular page I need to ask him a new
authentication because this page needs more privileges (this page infact is
only for administrators and in web.xml I specify it with a security
constraint and role).
This second step is my problem. When he goes in this page only the message
"Access to the requested resource has been denied" appears while I would
like that tomcat asks him for a new login and at the same time that tomcat
remembers the previous login when the user comes back in the other pages.
Tomcat implements container-managed security according to the Java
Servlet Specification, which does not specify the behavior above.
Instead, once a user is authenticated, their identity is considered
"known" and their roles dictate the resources they may access.
If you want the behavior you describe above, you'll have to use a
different security mechanism than the one provided by Tomcat.
Or use an Apache httpd in front of Tomcat, and pass the
httpd-authenticated user-id to Tomcat from Apache.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
