tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: How to capture authentication errors
Date Tue, 22 Jan 2002 17:49:03 GMT
On Tue, 22 Jan 2002, Andrea Cervellati wrote:

> Date: Tue, 22 Jan 2002 08:36:41 +0100 (MET)
> From: Andrea Cervellati <cervel@sparc20.ing.unimo.it>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>,
>      Andrea Cervellati <cervel@sparc20.ing.unimo.it>
> To: tomcat-user@jakarta.apache.org
> Subject: How to capture authentication errors
>
> Hi,
>
> I'm using JBoss and Tomcat to develop my web application.
>
> I have a security domain and the user must authenticate itself to access the
> restricted area.
>
> I'm using the DatabaseServer login module and I have defined the necessary
> tables.
>
> I want to display an error page when the user is not allowed to access instead
> of the HTTP-403 error message.
>
> The error.jsp page starts with the following:
>
> <%@ page language="java" session="false" isThreadSafe="false" info="Error Page"
> isErrorPage="true" %>
>
> In my jboss-web.xml I've specified that the security domain to be used is the
> same of the Jboss EJB container:
>
> <jboss-web> <security-domain>java:/jaas/modulojdbc</security-domain>
> </jboss-web>
>
> I've tried to add the following lines in the web.xml:
>
> <error-page>
>      <error-code>403</error-code>
>      <location>/error.jsp</location>
> </error-page>
>

This is the right way to do what you want.

> but I keep having the HTTP-403 message displaied.
>

Tomcat 4.0 and 4.0.1 did not support user-defined error pages for
authentication errors.  Could you please try this with Tomcat 4.0.2b2
instead?


> I've also tried to use the <form-error-page> tag like this:
>
> <login-config>
>     <auth-method>FORM</auth-method>
>     <form-login-config>
>     <form-login-page>/login.jsp</form-login-page>
>     <form-error-page>/error.jsp</form-error-page>
>     </form-login-config>
> </login-config>
>
> , but still have the problem
>

That's because the form error page is only used when the username/pasword
combination is not recognized (essentially, it replaces a 401 status).
The 403 error means that the container figured out who the user was --
that person just doesn't have one of the required roles to access the
requested resource.

> What can I do?
> Should I add anything else in the jboss-web.xml?
>
> I've posted rhis question even in the Java Forums and someone answered me that
> he had to change the Tomcat source to fix the problem.
>
> Please help!
>
>                    Thanks in advance
>

Craig McClanahan


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message