Hi Alberto.
A user can be in two states in tomcat's point of view.
1) anonymous (that is the user has not yet provided user / password)
2) Authenticated (user has provided user / password)
Aside from this, there are 2 kinds of urls for tomcat
1) unrestricted ones (anyone can access them)
2) urls restricted to specific roles (only authenticated users having
the correct role can access them)
As a result, when you try to access an url, those are the possible scenarios
1) public url -> access is granted
2) restricted url and you are anonymous -> you are pleased to log in
3) restricted url, you are authenticated but you don't have the correct
role -> access is refused
4) restricted url, you are authenticated and you have correct roles ->
access is granted
Your problem is point 3, you used a user / pass that has not the
priviledge for the given url. However, as you are authenticated, tomcat
will not ask you to authenticate again. It already knows who you are and
knows you can't acces that url. You should avoid design where an
individual has to use different user / pass depending on what he want
to do. It's better that he use only one account that got the requested
priviledges. Really, there is a problem with J2EE specs you must care
about. There is no way to log out, except by closing the browser.
Changing the error page is of not help by the way. There is no way to
force tomcat to accept a new user / password because there is no way to
do it according to J2EE specs. Also, there is a difference between
401 Unauthorized
403 Forbidden
401 will request user / pass, 403 not. Forcing a 401 is useless because
browser will cache user / pass and resend them without poping a new dialog.
Regards
Alberto Montoya wrote:
Hello!
This is my first post to the list. My problem is this, I've configured
Tomcat's file server.xml in order to use JDBC to authenticate users, and
I've set up the realms and the different roles that can access to that
realms, then, if i try to access to some realm but I haven't got the
right
role Tomcat redirect me to a error page (Forbidden Access) but it
never ask
again my user and my password. This occurs only if that user/password
exists
in my DataBase but it haven got the right role, If I enter a non exist
user/password, Tomcat ask me again for them. How can I solve this?
Could I
change that error page that Tomcat shows? How?
Thank you in advance...
Alberto
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
