Here's the scenario:
Jboss-3.0.8 + Tomcat-4.1.24
I log in to my app as 'cust1' who is assigned role 'Customer' in my security DB.
'cust1' then requests a path which, in web.xml, is protected under role 'Admin'.
The container should recognize this user as an authenticated user and it should recognize this request as an unauthorized request. And it appears as though it does. (It doesn't permit
access but instead routes the user to the index.jsp page).
So what I'd like to know is why the container routes the request to my index.jsp page. I don't see anything in the logs prior to the
index.jsp being rendered/processed.
Just what is a J2EE web container's policy on where to go if the authenticated user doesn't have the required access rights to a requested resource?
Ah, found the answer.
The container generates a 'HTTP Status 403 - Access to the requested resource has been denied' response which is caught by the <error-page> tag in web.xm and directed to a custom error page which I set (a long time ago!) to my index page.