DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3865>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3865

403 response code .

craig.mcclanahan@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From craig.mcclanahan@sun.com  2001-09-28 08:48 -------
According to the servlet specification, the login page is only displayed if the
container does not know who the user is.  Since you are already logged in, it
*does* know who you are.  When it checks your roles against those required by
your security constraint, a 403 (Forbidden) error is the correct and required
response if you do not possess the appropriate role.  If Tomcat 3.x did
something different, then it was broken.

Note that you can customize the look and feel of the error by registering an
error page handler for the 403 status code:

    <error-page>
        <error-code>403</error-code>
        <location>/my-403-error-page.jsp</location>
    </error-page>

in the web.xml file.  The text on this page could offer a link that invalidates
the session (logging you off) and then redirects to the page you tried to access
(which will trigger the login dialog again since it is protected).

WARNING:  This technique won't work in the 4.0 final release, because of a bug
in the way error pages for HTTP errors issued by the container are handled --
but this will be fixed in the upcoming 4.0.1 release.