Hello David, Thank you very much. I'll follow your advices.
Greetings 2006/5/22, David Delbecq <[EMAIL PROTECTED]>:
Hi Alberto. A user can be in two states in tomcat's point of view. 1) anonymous (that is the user has not yet provided user / password) 2) Authenticated (user has provided user / password) Aside from this, there are 2 kinds of urls for tomcat 1) unrestricted ones (anyone can access them) 2) urls restricted to specific roles (only authenticated users having the correct role can access them) As a result, when you try to access an url, those are the possible scenarios 1) public url -> access is granted 2) restricted url and you are anonymous -> you are pleased to log in 3) restricted url, you are authenticated but you don't have the correct role -> access is refused 4) restricted url, you are authenticated and you have correct roles -> access is granted Your problem is point 3, you used a user / pass that has not the priviledge for the given url. However, as you are authenticated, tomcat will not ask you to authenticate again. It already knows who you are and knows you can't acces that url. You should avoid design where an individual has to use different user / pass depending on what he want to do. It's better that he use only one account that got the requested priviledges. Really, there is a problem with J2EE specs you must care about. There is no way to log out, except by closing the browser. Changing the error page is of not help by the way. There is no way to force tomcat to accept a new user / password because there is no way to do it according to J2EE specs. Also, there is a difference between 401 Unauthorized 403 Forbidden 401 will request user / pass, 403 not. Forcing a 401 is useless because browser will cache user / pass and resend them without poping a new dialog. Regards Alberto Montoya wrote: > Hello! > > This is my first post to the list. My problem is this, I've configured > Tomcat's file server.xml in order to use JDBC to authenticate users, and > I've set up the realms and the different roles that can access to that > realms, then, if i try to access to some realm but I haven't got the > right > role Tomcat redirect me to a error page (Forbidden Access) but it > never ask > again my user and my password. This occurs only if that user/password > exists > in my DataBase but it haven got the right role, If I enter a non exist > user/password, Tomcat ask me again for them. How can I solve this? > Could I > change that error page that Tomcat shows? How? > > Thank you in advance... > Alberto > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
