Hi,
I received a response from Mark to the problem described below,
which was: "not an issue"/"as per specs".
Does not look like that to me, because:
1) After trying to login as a valid user and receiving 403 msg,
you can not login with a valid user role even after invalidating the
session.
So what is the user supposed to do (after entering username with incorrect
role)?
a. Ask maintenance team to restart application?
b. Clean the cookies? (most users do not even know what the cookie is)
These are the only things that will allow him to access the page again.
How can this behavior be "not an issue"?
2) msg 403 as a per specs response for users attempt to access
protected page with valid user and invalid role does not look logical.
Reason:
a. after entering completely wrong username user is redirected to
reasonably friendly custom error page.
b. after entering correct username with incorrect role user sees
unfriendly msg 403.
Reaction to smaller mistake (case b) is less user friendly that for case
a.
This seems illogical.
Regards,
Val.
----- Original Message -----
From: "Mark Thomas" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Friday, June 09, 2006 21:04
Subject: Re: Tomcat 5.5.17 protected pages JSP examples with valid user and
invalid role results in msg 403.
[EMAIL PROTECTED] wrote:
Hi,
I am having problem with Tomcat 5.5.17 jsp example of accessing
protected pages
(example: http://localhost:8080/jsp-examples/security/protected/)
Logging with valid user and role:
user/password/role="tomcat/tomcat/tomcat" works fine.
Logging with a valid user and invalid role
(user/password/role="role1/tomcat/role1") results in msg 403
(HTTP Status 403 - Access to the requested resource has been denied).
I am using supplied tomcat-users.xml.
Before experimenting I made this role (role1) invalid by editing
webapps/jsp-examples/WEB-INF/web.xml file like:
...
<auth-constraint>
<role-name>tomcat</role-name>
<!-- role-name>role1</role-name -->
</auth-constraint>
...
After receiving msg 403 applicatin will not work even with the valid
user role (msg 403 produced).
I found the same problem for Tomcat4 reported at:
http://mail-archives.apache.org/mod_mbox/tomcat-dev/200204.mbox/[EMAIL
PROTECTED]
This was resolved as INVALID. See
http://issues.apache.org/bugzilla/show_bug.cgi?id=8607
I also have seen somewhere that it was reported to be fixed for Tomcat4.
Not fixed, it was never an issue. See above.
Did the old problem penetrate to Tomcat 5.5.17 or
did I forget to configure something?
No, there isn't am issue.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
