Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 8269 invoked from network); 14 Feb 2002 00:27:54 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 14 Feb 2002 00:27:54 -0000 Received: (qmail 4564 invoked by uid 97); 14 Feb 2002 00:27:52 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 4547 invoked by uid 97); 14 Feb 2002 00:27:52 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 4533 invoked by uid 50); 14 Feb 2002 00:27:51 -0000 Date: 14 Feb 2002 00:27:51 -0000 Message-ID: <20020214002751.4532.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Cc: Subject: DO NOT REPLY [Bug 6446] New: - Access denied instead of new challenge when authentication fails X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446 Access denied instead of new challenge when authentication fails Summary: Access denied instead of new challenge when authentication fails Product: Tomcat 4 Version: 4.0.1 Final Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: hans@gefionsoftware.com In a web application with two security constraints with different sets of required roles, all access attempts to the second one are denied (403) after successful authetication to the first. Example:

/ch12/search/*

admin

user

admin

/ch12/admin/*

admin

After accessing resources protected by the "search" constraint as a user in the role "user", all attempts to access resources protected by the "admin" constraint are denied. Previous versions of Tomcat (at least TC 3.x) issued a new challenge response in this case, which IMHO is a more accurate behavior. -- To unsubscribe, e-mail: For additional commands, e-mail: