tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Propes, Barry L " <barry.l.pro...@citi.com>
Subject RE: authenticated but not authorized -- blank page
Date Fri, 02 May 2008 17:15:26 GMT
I actually have my role names defined within EACH constraint.

-----Original Message-----
From: DIGLLOYD INC [mailto:diglloyd1@diglloyd.com]
Sent: Friday, May 02, 2008 10:56 AM
To: Tomcat List Users
Subject: authenticated but not authorized -- blank page


I have a webapp 'guest', with two subfolders 'guest1' and 'guest2'.    
These are protected by security constraints.

/guest/guest1 has a security constraint requiring role 'guest1'
/guest/guest2 has a security constraint requiring role 'guest2'

Users 'guest1' and 'guest2' map to roles of the same names, and each  
user has its own distinct password.

1.  User 'guest1' logs in successfully and is able to view /guest/ 
guest1/*

2.  Now user guest1 tries to access /guest/guest2.  Since s/he is not  
authorized to access this area, one can expect a failure.

PROBLEM:  the server returns a 404 error when 'guest1' accesses a non- 
authorized area (/guest/guest2).  This results in a blank page in the  
browser-very confusing.  In this case I don't really care, but I have  
other more important situations coming.

QUESTION: shouldn't some kind of "not authorized" error be returned by  
Tomcat?  A 404 error is very confusing for the user.

The web.xml configuration is shown below.


    <servlet-mapping>
        <servlet-name>guest</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>

<!-- Define reference to the user database for looking up roles -->
   <resource-env-ref>
     <description>blah blah blah</description>
     <resource-env-ref-name>users</resource-env-ref-name>
     <resource-env-ref-type>org.apache.catalina.UserDatabase</resource- 
env-ref-type>
   </resource-env-ref>

   <!-- Define a Security Constraint on this Application -->
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Guest 1 access</web-resource-name>
       <url-pattern>/_guest1_/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>guest1</role-name>
     </auth-constraint>
   </security-constraint>

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Guest 2 access</web-resource-name>
       <url-pattern>/_guest2_/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>guest2</role-name>
     </auth-constraint>
   </security-constraint>

   <!-- Define the Login Configuration for this Application -->
   <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>Guest Realm</realm-name>
   </login-config>

   <!-- Security roles referenced by this web application -->
   <security-role>
     <role-name>guest1</role-name>
     <role-name>guest2</role-name>
   </security-role>


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message