tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nirvann <>
Subject Re: doubts about tomcat form based authentication
Date Tue, 20 Oct 2009 14:19:17 GMT

Curtis Garman wrote:
> I'm interested in what others have to say about this too...for
> instance there is no provision for disabling an account either...if
> the account exists you can login with it.
> I'm not sure I understand the second part of your question about
> yo mean authorization or authentication?...if you
> really mean authentication, it sounds to me like you don't have
> something set up should be getting a 403 access denied
> in both firefox and ie if login fails. Authorization has nothing to do
> with form based authentication and would be handled by the container
> based on the roles you create.
> Curtis

I mean't authorization. Consider a scenario as follows. There are two users,
admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has
rights to both the pages but user can access only userPage.jsp. Lets assume
that the user logs in as user (not admin) and accesses userPage.jsp. It is
fine upto this point because user has access to userPage.jsp. But what
happens if the user tries to access adminPage.jsp for which he is not
authorized. As you have indicated it should fail through 403 access denied.
But, I am getting "HTTP 404 - File not found" in IE and blank page in

View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message