tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Delbecq <de...@oma.be>
Subject Re: Access to error page denied in Firefox 2.0
Date Mon, 22 Jan 2007 15:29:41 GMT
I see several potential problems as a side note before the core problem...
First, you map your security constraint to /*, that mean *nothing* in
your webapp will be accessible prior to login, this includes pictures, css.
Second, be aware to never access directly login.html, it should be
tomcat that send the content of login.html to user upon needing
authentification. To make your test, for example, direct your browser to
/index.html (yes authentifcication take place even if file does not
exist :p). Take this into account when adding a 'link' to login form in
your error document

Now, core of problem. Tomcat sends an error 403 header along with the
content of your error page. This happens when your credentials have been
accepted, your are authenticated, but your don't have the required
access right. (common example you are a 'user' but not an 'admin', you
try to access the admin panel, tomcat will refuse you, but not present
you the authentification form because you are already identified)


En l'instant précis du 01/22/07 16:11, Marcel Frehner s'exprimait en ces
termes:
> I'm trying to set up form-based authentication in a JSF Application on
> Tomcat 5.5.4. I've got a login page, a welcome page and an error page.
> On entering the right username and password I get redirected to
> welcome.jsp. On entering the wrong credentials IE displays my custom
> error.html with a link back to login.html where I can try with the
> right password again. So far so good.
>
> Firefox 2.0, however, displays "HTTP Status 403 - Access to the
> requested resource has been denied" if the wrong credentials are
> entered. I can't get back to the login page anymore, even with the
> back button in the browser. Logging in with the correct credentials
> works as expected.
>
> I understand that Tomcat forwards control to the error page configured
> in web.xml if authentication fails. I can't see any browser dependency
> here. Or does it do a redirect, i.e. go back to the browser first?
>
> When setting up the application I followed Sun's Java 5 EE Tutorial
> (Chapter 30: Securing Web Applications) leaving out the mapping of
> roles to user groups as I haven't got any server groups.
>
> The settings in the Tomcat admin application, which works fine, seem
> to be equivalent to mine although hard to compare as it is Struts and
> mine is JSF.
>
> I've got an index.jsp file which takes me into the faces context.
> Could that cause problems?
>
> Help is appreciated very much.
> Marcel
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app id="WebApp_ID" version="2.4"
> xmlns="http://java.sun.com/xml/ns/j2ee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
> <display-name>sec24</display-name>
> <servlet>
> <servlet-name>Faces Servlet</servlet-name>
> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> <security-role-ref>
> <role-name>loginUser</role-name>
> <role-link>loginUser</role-link>
> </security-role-ref>
> </servlet>
> <servlet-mapping>
> <servlet-name>Faces Servlet</servlet-name>
> <url-pattern>*.faces</url-pattern>
> </servlet-mapping>
> <welcome-file-list>
> <welcome-file>index.jsp</welcome-file>
> </welcome-file-list>
> <security-constraint>
> <display-name>SecurityConstraint</display-name>
> <web-resource-collection>
> <web-resource-name>WRCollection</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>loginUser</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>security</realm-name>
> <form-login-config>
> <form-login-page>/login.html</form-login-page>
> <form-error-page>/error.html</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>loginUser</role-name>
> </security-role>
> </web-app>
>
>
>
>
> -- 
> dipl. geogr. Marcel Frehner
> Wissenschaftlicher Mitarbeiter
> Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
> Abteilung Landschaftsinventuren
> Zürcherstrasse 111
> 8903 Birmensdorf
>
> Tel. +41-44-739 26 83
> marcel.frehner@wsl.ch
> http://www.wsl.ch
>
> ----------------------------
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message