tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Tulley" <>
Subject [Patch] Handling of authentication success but authorization failure
Date Mon, 12 May 2003 17:44:10 GMT
A while back I proposed some changes to how Tomcat handles the case
where it is supplied a valid user name that does not belong in the
correct role to access a secured resource.  I finally had time to make
the code changes associtated with my proposal.

What tomcat currently does:
The user is authenticated successfully, and the user's principals are
put in the session.  Then, upon authorization failure, an "Access to the
requested resource has been denied" error is sent back to the browser. 
Since the user principals are in the current session, you cannot hit the
browser back button to retry a login.  You have to close out the browser
and try again.  This is a very annoying and confusing state.

The attached patch solves this problem by doing two things:

1) Upon authorization failure, the user principals are cleared from the
2) Instead of sending back a browser error, a redirect to the
"form-error-page" specified in web.xml is performed.

I propose at very least committing part one of my fix, to get the
browser out of the weird authenticated but not authorized state.  

I also propose that Tomcat do a redirect to the error page instead of
sending back the less friendly message.  The Servlet Specification does
not address this issue, and does not specify behavior one way or
another.  If there are any Tomcat committers on the JSR committees for
the next Servlet specification, I think it would be good to see if the
spec could be made more clear on this point.  Lacking guidance by the
spec, I feel that redirecting to the same error page for both
authentication and authorization failures provides at least some level
of control by the application developer.


Jeff Tulley  (
Novell, Inc., The Leading Provider of Net Business Solutions

View raw message