DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8607>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8607 Valid User, invalid role, results in msg 403, then incorrect operation Summary: Valid User, invalid role, results in msg 403, then incorrect operation Product: Tomcat 4 Version: 4.0.3 Final Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] If a valid user, with an invalid role attempts to access a protected area, the error page is NOT produced, instead msg 403 returns to the user. Subsequent attempts to login with a VALID user id return: Apache Tomcat/4.0.3 - HTTP Status 404 - /jsp/security/protected/j_security_check -------------------------------------------------------------------------------- type Status report message /jsp/security/protected/j_security_check description The requested resource (/jsp/security/protected/j_security_check) is not available. Note that attempts to access with a user id which is NOT in the tomcat-users file works as expected: the error page is produced. Reproduction scenario: 1. Install Tomcat 4.0.3 right out of the box. 2. Add a single user: <user name="fred" password="flint" roles="standard,manager" /> to tomcat-users.xml 3. Attempt to access the examples/jsp/security/protected with valid user tomcat. This will work. 4. Attempt to access the examples/jsp/security/protected with user fred/flint, get message 403: Apache Tomcat/4.0.3 - HTTP Status 403 - Access to the requested resource has been denied -------------------------------------------------------------------------------- type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. 5. Attempt access again using tomcat/tomcat, get message 404 as above. Further attempts at access fail as well. See also Tomcat user list emails: From: "Christopher Pennock" Subject: FORM login with wrong role gets 404, not error page - bug? Date: Tue, 5 Feb 2002 12:21:49 -0500 From: Victoria Einarsson Subject: wrong user role => Error 403 instead of redirecting to Form-Error-Page Date: Thu, 10 Jan 2002 11:34:00 +0100 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
