DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6446 Access denied instead of new challenge when authentication fails Summary: Access denied instead of new challenge when authentication fails Product: Tomcat 4 Version: 4.0.1 Final Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] In a web application with two security constraints with different sets of required roles, all access attempts to the second one are denied (403) after successful authetication to the first. Example: <security-constraint> <web-resource-collection> <web-resource-name>search</web-resource-name> <url-pattern>/ch12/search/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>admin</web-resource-name> <url-pattern>/ch12/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> After accessing resources protected by the "search" constraint as a user in the role "user", all attempts to access resources protected by the "admin" constraint are denied. Previous versions of Tomcat (at least TC 3.x) issued a new challenge response in this case, which IMHO is a more accurate behavior. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
