1 Reply Latest reply on Mar 28, 2006 11:58 AM by starksm64

HTTP Status 403 - when missing role

dboeckli Mar 28, 2006 10:45 AM

Log in is working perfect. When I log in with wrong password i am redirected to the page defined in web.xml. But when i am using a user with missing role then i am not redirected to the defined error page, i get the standard Tomcat "HTTP Status 403 - Access to the requested resource has been denied" page.

here an extract of the web.xml

 <!-- Security -->
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>restricted</web-resource-name>
 <url-pattern>/prot/*</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>administrator</role-name>
 <role-name>catloguser</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
 <form-login-page>/login/login.jsf</form-login-page>
 <form-error-page>/login/loginFailed.jsf</form-error-page>
 </form-login-config>
 </login-config>
 <security-role>
 <role-name>administrator</role-name>
 </security-role>
 <security-role>
 <role-name>catloguser</role-name>
 </security-role>

What i did wrong? Many thanks for your help.

1. Re: HTTP Status 403 - when missing role

starksm64 Mar 28, 2006 11:58 AM (in response to dboeckli)

The error page is only for authentication failures. Authorization failures have nothing to do with the login error-page.
Actions