tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Coast <nathan.co...@cableinet.co.uk>
Subject Roles / Login / j_security check
Date Tue, 08 May 2001 09:07:26 GMT
Hi, apologies as this is a bit of a cross-post from tomcat-user last week (was 
getting no responses from there).  I need to work out what's going on re: roles 
and login.

I'm observing some unexpected behaviour in Tomcat (3.2.1) in conjuction with 
roles. This is the situation: (web.xml is at the bottom)

two roles:
Customer
Gold Customer

a user:
Joe Bloggs

Joe is a "Customer" but not a "Gold Customer"

This is what I observe:

1) new browser (not logged in) browse to /control/CustomerSecurePage
2) browser is redirected to /login.jsp
3) Joe logs in and is redirected to /control/CustomerSecurePage
4) browse to /control/GoldSecurePage
5) browser redirected to /control/loginerror
6) Joe is now logged out, any subsequent attempts to browse to a page secured by
the "customer" role results in a redirection to the login page.

Is this correct behaviour? I would have expected an attempt to access to the
gold url to have denied access but not to have logged the user out!  Unless I 
can resolve this I'm going to have to abandon using tomcat to manage access to 
restricted content.  This is not something I want to do. I've tried working 
through the source but got lost.

Thanks in advance,
Nathan

this is the relevant section of web.xml:

****************************************************************

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>MySecureBit0</web-resource-name>
        <description>no description</description>
        <url-pattern>/control/GoldSecurePage</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>no description</description>
        <role-name>gold</role-name>
      </auth-constraint>
    </security-constraint>

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>MySecureBit1</web-resource-name>
        <description>no description</description>
        <url-pattern>/control/CustomerSecurePage</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>no description</description>
        <role-name>customer</role-name>
      </auth-constraint>
    </security-constraint>

    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>TheGiftStore</realm-name>
      <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/control/loginerror</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
      <description>the customer role</description>
      <role-name>customer</role-name>
    </security-role>
    <security-role>
      <description>the gold customer role</description>
      <role-name>gold</role-name>
    </security-role>

****************************************************************


Mime
View raw message