Curtis Garman wrote: > > I'm interested in what others have to say about this too...for > instance there is no provision for disabling an account either...if > the account exists you can login with it. > > I'm not sure I understand the second part of your question about > authorization...do yo mean authorization or authentication?...if you > really mean authentication, it sounds to me like you don't have > something set up correctly...you should be getting a 403 access denied > in both firefox and ie if login fails. Authorization has nothing to do > with form based authentication and would be handled by the container > based on the roles you create. > > Curtis >
I mean't authorization. Consider a scenario as follows. There are two users, admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has rights to both the pages but user can access only userPage.jsp. Lets assume that the user logs in as user (not admin) and accesses userPage.jsp. It is fine upto this point because user has access to userPage.jsp. But what happens if the user tries to access adminPage.jsp for which he is not authorized. As you have indicated it should fail through 403 access denied. But, I am getting "HTTP 404 - File not found" in IE and blank page in Mozilla. -- View this message in context: http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25975955.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
