Form-based login and authorization

gfzhang Jul 25, 2002 10:38 AM

It is a form-based login web app.
After I authenticated, if I acessed a resource that I have no right to access it, the browser dispaly a page that list "forbidden, Error code 403".

In weblogic, the browser will display the form-error-page page which configured in web.xml.

Is this a bug of JBoss 3.0 or I have not configured the JBoss 3.0 correctly.

I use the Jetty web server embedded in JBoss.

1. Re: Form-based login and authorization

gregwilkins Jul 27, 2002 12:25 PM (in response to gfzhang)

The spec is not clear what should happen in this circumstance. However, I do believe that the 403
forbidden is the more correct response.

The form error page is intended to be displayed when an authentication error has occured during logon (wrong username or password). In your case, their is no
problem with authentication, you simply have insufficient
priviledges to view the requested page.

Note that you can use the error page mechanism to provide
a custom page for 403 responses.

regards
Actions