tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Stör <>
Subject Re: Request not forwarded to login page with security-constraint after session time-out
Date Thu, 26 Feb 2009 23:14:48 GMT

On 26.02.2009, at 23:44, Mark Thomas wrote:

> Caldarale, Charles R wrote:
>>> From: Mark Thomas []
>>> Subject: Re: Request not forwarded to login page with
>>> security-constraint after session time-out
>>> The spec is clearer than that. The "*" role == all roles
>>> defined in web.xml.
>> Yes, but what it's not clear about is what happens when there are  
>> *no* roles defined in web.xml, which is the situation the OP has.
> I thought it was pretty clear. If "*" is all roles defined and you  
> have
> no roles defined then you are basically preventing anyone from  
> accessing
> that resource (subject to the weird and wonderful rules on combining
> security constraints).

Not sure I can follow you guys on this...A few questions, my  
assumption is that the role-issue has nothing to do with the real  

1. Is the "*"-role issues even relevant in my context? After all, the  
security constraint works fine if I initially log in...

2. My requirement is indeed: "allow any authenticated user, ignore  
roles all together". So I set

in web.xml and allRolesMode="AUTH_ONLY_MODE" in the JDBC realm config.  
Correct? Uummhh, obviously not, because there's still this error in  
the log, but it has no impact:

Feb 27, 2009 12:06:43 AM org.apache.catalina.realm.JDBCRealm getRoles
SEVERE: Exception performing authentication
java.sql.SQLException: ORA-00903: invalid table name

	at oracle.jdbc.driver.T4CTTIoer.processError(
	at oracle.jdbc.driver.T4CTTIoer.processError(

3. Why does it seem to be relevant that the request where auto- 
forwarding-to-login-after-session-timeout fails is an AJAX request?


Marcel Stör,
Skype: marcelstoer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message