I've set up a test case for a user that is successfully authenticated but that is not authrorized by the security-constraint to access a servlet. I've tested other form basedlogin behavior and got the expected resuts. Accession page requireing authentication redirects to form-login-page, invalid credentials to form-error-page, valid credentials for authorized user to initial target.

However, when I provide valid credentials for user that is not authorized, I get an HTTP Status 403 back. Other container managers I've used direct to form-login-page in this sittuation.

What can I do to intercept this condition and redirect to a page of my choosing?

I'm using JBoss 4.0.2 and the LdapLoginModule. Again, everything works except for this condition. Excerpts from web.xml and ldif follow. The usera gets in fine, userb gets a status 403.

<<<<---- cut - part of web.xml - begin ---->>>>
<security-constraint>
<web-resource-collection>
<web-resource-name>unprotected resources</web-resource-name>
<url-pattern>/login_placeholder.jsp</url-pattern>
<url-pattern>/error_placeholder.jsp</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources</web-resource-name>
<url-pattern>/welcome_placeholder.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authRole</role-name>
</auth-constraint>
</security-constraint>

<!-- The Usual Welcome File List -->
<welcome-file-list>
<welcome-file>/welcome_placeholder.jsp</welcome-file>
</welcome-file-list>

<login-config>
<realm-name>realm</realm-name>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login_placeholder.jsp</form-login-page>
<form-error-page>/error_placeholder.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>authRole</role-name>
</security-role>
<<<<---- cut - part of web.xml - end ---->>>>

<<<<---- cut - part of LDIF - begin ---->>>>
dn: uid=usera,ou=people,dc=acorp,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: usera
mail: usera@acorp.com
cn: Authorized User
sn: User
userpassword: {SSHA}/J+00NUgSWm/iM1KIiR2GuR+E+ugezfz

dn: uid=userb,ou=people,dc=acorp,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: userb
mail: userb@acorp.com
cn: Nonauthorized User
sn: User
userpassword: {SSHA}XYOUSJ7BcSHQ+5viFT8Zzoo6Mb3dGoLn

dn: cn=authRole,ou=roles,dc=acorp,dc=com
changetype: add
objectclass: top
objectclass: groupofuniquenames
cn: authRole
description: Group of users with access to app
uniqueMember: uid=usera,ou=people,dc=acorp,dc=com
<<<<---- cut - part of LDIF - end---->>>>