tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 6446] New: - Access denied instead of new challenge when authentication fails
Date Thu, 14 Feb 2002 00:27:51 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446

Access denied instead of new challenge when authentication fails

           Summary: Access denied instead of new challenge when
                    authentication fails
           Product: Tomcat 4
           Version: 4.0.1 Final
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: hans@gefionsoftware.com


In a web application with two security constraints with different sets of
required roles, all access attempts to the second one are denied (403)
after successful authetication to the first.

Example:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>search</web-resource-name>
      <url-pattern>/ch12/search/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
      <role-name>user</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>admin</web-resource-name>
      <url-pattern>/ch12/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

After accessing resources protected by the "search" constraint as a user in 
the role "user", all attempts to access resources protected by the "admin"
constraint are denied. Previous versions of Tomcat (at least TC 3.x) issued
a new challenge response in this case, which IMHO is a more accurate behavior.

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message