-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cun,
shunhecun wrote: > If a user is failed to login, he should be directed to the page specified in > web.xml, i.e. <form-error-page>/loginError.jsp</form-error-page>. And the > page /loginError.jsp is an unprotected resource. Right. You didn't say that the user failed to login. You said that the user's rights didn't allow them to see that particular page. Authentication /was/ successful; authorization was not. > If Tomcat does not kill the session for me in my case described in my first > message, how can I do that? Tomcat will not kill the session for you; you will have to do it yourself. You don't want to worry about failed logins -- those will go back to the login page. What you want to worry about is unauthorized page requests /after/ login, which is what the 403 error is all about. Just direct your webapp to forward 403 errors to something like "/logout.jsp" that does "session.invalidate()". I wouldn't do it this way, though. I'd present the user with an (unprotected) page that says "you're not allowed to view this page. Click <here> if you want to logout and re-login" (or something along those lines). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4XOw9CaO5/Lv0PARAuXLAKDEA5su6hVC8qOqGsP2+KRLY0lJsACglPle 7sU3UkhRRSJ2P8IAHM8NQQ0= =C6N6 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
