Log in is working perfect. When I log in with wrong password i am redirected to the page defined in web.xml. But when i am using a user with missing role then i am not redirected to the defined error page, i get the standard Tomcat "HTTP Status 403 - Access to the requested resource has been denied" page.
here an extract of the web.xml
<!-- Security --> <security-constraint> <web-resource-collection> <web-resource-name>restricted</web-resource-name> <url-pattern>/prot/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> <role-name>catloguser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login/login.jsf</form-login-page> <form-error-page>/login/loginFailed.jsf</form-error-page> </form-login-config> </login-config> <security-role> <role-name>administrator</role-name> </security-role> <security-role> <role-name>catloguser</role-name> </security-role>
The error page is only for authentication failures. Authorization failures have nothing to do with the login error-page.