Christopher Schultz wrote: > Cun, > > shunhecun wrote: >> If a user is failed to login, he should be directed to the page specified in >> web.xml, i.e. <form-error-page>/loginError.jsp</form-error-page>. And the >> page /loginError.jsp is an unprotected resource. > > Right. You didn't say that the user failed to login. You said that the > user's rights didn't allow them to see that particular page. > Authentication /was/ successful; authorization was not. > >> If Tomcat does not kill the session for me in my case described in my first >> message, how can I do that? > > Tomcat will not kill the session for you; you will have to do it > yourself. You don't want to worry about failed logins -- those will go > back to the login page. What you want to worry about is unauthorized > page requests /after/ login, which is what the 403 error is all about. > Just direct your webapp to forward 403 errors to something like > "/logout.jsp" that does "session.invalidate()".
(eek!)
> I wouldn't do it this way, though. I'd present the user with an
> (unprotected) page that says "you're not allowed to view this page.
> Click <here> if you want to logout and re-login" (or something along
> those lines).
Customise the 403 error with a directive in the appropriate place in
your web.xml, like so:
<error-page>
<error-code>403</error-code>
<location>/WEB-INF/error-pages/403.jsp</location>
</error-page>
This page can have any content you like, and include the actions as
suggested by Chris.
p
> -chris
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
smime.p7s
Description: S/MIME Cryptographic Signature
