tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DIGLLOYD INC <digllo...@diglloyd.com>
Subject authenticated but not authorized -- blank page
Date Fri, 02 May 2008 15:55:32 GMT
I have a webapp 'guest', with two subfolders 'guest1' and 'guest2'.    
These are protected by security constraints.

/guest/guest1 has a security constraint requiring role 'guest1'
/guest/guest2 has a security constraint requiring role 'guest2'

Users 'guest1' and 'guest2' map to roles of the same names, and each  
user has its own distinct password.

1.  User 'guest1' logs in successfully and is able to view /guest/ 
guest1/*

2.  Now user guest1 tries to access /guest/guest2.  Since s/he is not  
authorized to access this area, one can expect a failure.

PROBLEM:  the server returns a 404 error when 'guest1' accesses a non- 
authorized area (/guest/guest2).  This results in a blank page in the  
browser-very confusing.  In this case I don't really care, but I have  
other more important situations coming.

QUESTION: shouldn't some kind of "not authorized" error be returned by  
Tomcat?  A 404 error is very confusing for the user.

The web.xml configuration is shown below.


    <servlet-mapping>
        <servlet-name>guest</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>

<!-- Define reference to the user database for looking up roles -->
   <resource-env-ref>
     <description>blah blah blah</description>
     <resource-env-ref-name>users</resource-env-ref-name>
     <resource-env-ref-type>org.apache.catalina.UserDatabase</resource- 
env-ref-type>
   </resource-env-ref>

   <!-- Define a Security Constraint on this Application -->
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Guest 1 access</web-resource-name>
       <url-pattern>/_guest1_/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>guest1</role-name>
     </auth-constraint>
   </security-constraint>

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Guest 2 access</web-resource-name>
       <url-pattern>/_guest2_/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>guest2</role-name>
     </auth-constraint>
   </security-constraint>

   <!-- Define the Login Configuration for this Application -->
   <login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>Guest Realm</realm-name>
   </login-config>

   <!-- Security roles referenced by this web application -->
   <security-role>
     <role-name>guest1</role-name>
     <role-name>guest2</role-name>
   </security-role>


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message