Bug report #574 has just been filed. You can view the report at the following URL: <http://znutar.cortexity.com/BugRatViewer/ShowReport/574> REPORT #574 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: serious Confidence: public Environment: Release: Tomcat v4.0 m4 JVM Release: 1.2.2 Operating System: Solaris OS Release: SunOS 5.6 Platform: Ultra1 Synopsis: Browser issues a "document contains no data" when a secure page is accessed by an valid, unauthorized user (wrong role). Description: I am trying to test user authentication with Tomcat v4.0 m4. I have a *very* simple configuration: * an index page that links to a view-common page and a view-restricted page * the web.xml security constraint on the view-restricted page are set up as: <!-- Restricted Resources --> <security-constraint> <web-resource-collection> <web-resource-name>RestrictedResources</web-resource-name> <url-pattern>/view-restricted.html</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <description>A simple restricted-access user role.</description> <role-name>admin</role-name> </security-role> * the server.xml configuration file is using the MemoryRealm * the tomcat-users.xml config. file has three users: <tomcat-users> <user name="tomcat" password="tacmot" roles="tomcat" /> <user name="user1" password="1resu" roles="admin" /> <user name="user2" password="2resu" roles="tomcat,admin" /> </tomcat-users> So, I would expect that when I attempt to access the view-restricted.html page that I get BASIC HTTP user auth. dialog box in my browser (Netscape v4.75) and I do. That's not the weird thing. Everything works as expected when I enter a user that has 'admin' role (e.g. 'user1'), *but* I am getting the following Netscape error when I enter any other user (e.g. 'tomcat'): The document contains no data. Try again later, or contact the server's administrator. This is not what I was expecting. Is this the correct behavior? This is a problem because it (the browser) will not allow me to attempt to link to that page again and re-authenticate. Note: if I miss type a given user's password, then the browser correctly asks me to retry; it is only when I give the correct password for a registered user but not in the corrrect role for the restricted page that I get the above problem.Title: BugRat Report # 574
BugRat Report # 574
| Project: Tomcat | Release: Tomcat v4.0 m4 |
| Category: Bug Report | SubCategory: New Bug Report |
| Class: swbug | State: received |
| Priority: high | Severity: serious |
|
Confidence:
public
|
Submitter:
Bryan Basham ( [EMAIL PROTECTED] )
Date Submitted:
Dec 12 2000, 11:45:18 CST
Responsible:
Z_Tomcat Alias ( [EMAIL PROTECTED] )
- Synopsis:
- Browser issues a "document contains no data" when a secure page is accessed by an valid, unauthorized user (wrong role).
- Environment: (jvm, os, osrel, platform)
- 1.2.2, Solaris, SunOS 5.6, Ultra1
- Additional Environment Description:
- Netscape v4.75
- Report Description:
-
I am trying to test user authentication with Tomcat v4.0 m4.
I have a *very* simple configuration:
* an index page that links to a view-common page and a view-restricted page
* the web.xml security constraint on the view-restricted page are set up as:
RestrictedResources /view-restricted.html GET admin BASIC A simple restricted-access user role. admin
- How To Reproduce:
- null
- Workaround:
- null
