tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Schönhaber <>
Subject Re: doubts about tomcat form based authentication
Date Tue, 20 Oct 2009 14:45:06 GMT

> I mean't authorization. Consider a scenario as follows. There are two users,
> admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has
> rights to both the pages but user can access only userPage.jsp. Lets assume
> that the user logs in as user (not admin) and accesses userPage.jsp. It is
> fine upto this point because user has access to userPage.jsp. But what
> happens if the user tries to access adminPage.jsp for which he is not
> authorized. As you have indicated it should fail through 403 access denied.
> But, I am getting "HTTP 404 - File not found" in IE and blank page in
> Mozilla. 

In a situation like the one you describe my Tomcat responds with 403
response code and the standard access denied page (I did not change it
in web.xml).
So, I second Curtis' guess that you did something wrong.

BTW: What IE shows you is of very little use, unless you turn off
"friendly" error messages.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message