tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Schönhaber <tomcat-us...@list-post.mks-mail.de>
Subject Re: doubts about tomcat form based authentication
Date Tue, 20 Oct 2009 14:45:06 GMT
Nirvann:

> I mean't authorization. Consider a scenario as follows. There are two users,
> admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has
> rights to both the pages but user can access only userPage.jsp. Lets assume
> that the user logs in as user (not admin) and accesses userPage.jsp. It is
> fine upto this point because user has access to userPage.jsp. But what
> happens if the user tries to access adminPage.jsp for which he is not
> authorized. As you have indicated it should fail through 403 access denied.
> But, I am getting "HTTP 404 - File not found" in IE and blank page in
> Mozilla. 

In a situation like the one you describe my Tomcat responds with 403
response code and the standard access denied page (I did not change it
in web.xml).
So, I second Curtis' guess that you did something wrong.

BTW: What IE shows you is of very little use, unless you turn off
"friendly" error messages.

-- 
Regards
  mks



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message