Hi, please consider the following: - Error 403 seems completely suitable from your words - Browsers always store Login Info until the browser windows is closed (No session here, this applies only to basic-auth!) With form auth: you can alyways provide a logout-button - If Standard-errorpage is too unfriendly, provide a custom error page
If you think tomcat forgot to handle the 403, provide a page which handles this error and let the user log out continue to another page. It is not illogical, because your case is rare enough to not be handled by default. Let us know, if this is good enough for you. regards, R. Am Dienstag, 13. Juni 2006 09:59 schrieb [EMAIL PROTECTED]: > Hi, > I received a response from Mark to the problem described below, > which was: "not an issue"/"as per specs". > Does not look like that to me, because: > > 1) After trying to login as a valid user and receiving 403 msg, > you can not login with a valid user role even after invalidating the > session. > So what is the user supposed to do (after entering username with incorrect > role)? > a. Ask maintenance team to restart application? > b. Clean the cookies? (most users do not even know what the cookie is) > These are the only things that will allow him to access the page again. > How can this behavior be "not an issue"? > > 2) msg 403 as a per specs response for users attempt to access > protected page with valid user and invalid role does not look logical. > Reason: > a. after entering completely wrong username user is redirected to > reasonably friendly custom error page. > b. after entering correct username with incorrect role user sees > unfriendly msg 403. > Reaction to smaller mistake (case b) is less user friendly that for > case a. > This seems illogical. > > Regards, > Val. > > > ----- Original Message ----- > From: "Mark Thomas" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <users@tomcat.apache.org> > Sent: Friday, June 09, 2006 21:04 > Subject: Re: Tomcat 5.5.17 protected pages JSP examples with valid user and > invalid role results in msg 403. > > > [EMAIL PROTECTED] wrote: > >> Hi, > >> > >> I am having problem with Tomcat 5.5.17 jsp example of accessing > >> protected pages > >> (example: http://localhost:8080/jsp-examples/security/protected/) > >> > >> Logging with valid user and role: > >> user/password/role="tomcat/tomcat/tomcat" works fine. > >> Logging with a valid user and invalid role > >> (user/password/role="role1/tomcat/role1") results in msg 403 > >> (HTTP Status 403 - Access to the requested resource has been denied). > >> I am using supplied tomcat-users.xml. > >> > >> Before experimenting I made this role (role1) invalid by editing > >> webapps/jsp-examples/WEB-INF/web.xml file like: > >> ... > >> <auth-constraint> > >> <role-name>tomcat</role-name> > >> <!-- role-name>role1</role-name --> > >> </auth-constraint> > >> ... > >> > >> After receiving msg 403 applicatin will not work even with the valid > >> user role (msg 403 produced). > >> > >> I found the same problem for Tomcat4 reported at: > >> http://mail-archives.apache.org/mod_mbox/tomcat-dev/200204.mbox/%3C20020 > >>[EMAIL PROTECTED] > > > > This was resolved as INVALID. See > > http://issues.apache.org/bugzilla/show_bug.cgi?id=8607 > > > >> I also have seen somewhere that it was reported to be fixed for Tomcat4. > > > > Not fixed, it was never an issue. See above. > > > >> Did the old problem penetrate to Tomcat 5.5.17 or > >> did I forget to configure something? > > > > No, there isn't am issue. > > > > Mark > > > > --------------------------------------------------------------------- > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
