2 Replies Latest reply on Feb 14, 2006 11:43 AM by Bob Blackard

    unexpected behavior with authenticated but unauthorized user

    Bob Blackard Newbie

      I've set up a test case for a user that is successfully authenticated but that is not authrorized by the security-constraint to access a servlet. I've tested other form basedlogin behavior and got the expected resuts. Accession page requireing authentication redirects to form-login-page, invalid credentials to form-error-page, valid credentials for authorized user to initial target.

      However, when I provide valid credentials for user that is not authorized, I get an HTTP Status 403 back. Other container managers I've used direct to form-login-page in this sittuation.

      What can I do to intercept this condition and redirect to a page of my choosing?

      I'm using JBoss 4.0.2 and the LdapLoginModule. Again, everything works except for this condition. Excerpts from web.xml and ldif follow. The usera gets in fine, userb gets a status 403.

      <<<<---- cut - part of web.xml - begin ---->>>>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>unprotected resources</web-resource-name>
      <url-pattern>/login_placeholder.jsp</url-pattern>
      <url-pattern>/error_placeholder.jsp</url-pattern>
      </web-resource-collection>
      </security-constraint>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>protected resources</web-resource-name>
      <url-pattern>/welcome_placeholder.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>authRole</role-name>
      </auth-constraint>
      </security-constraint>

      <!-- The Usual Welcome File List -->
      <welcome-file-list>
      <welcome-file>/welcome_placeholder.jsp</welcome-file>
      </welcome-file-list>

      <login-config>
      <realm-name>realm</realm-name>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/login_placeholder.jsp</form-login-page>
      <form-error-page>/error_placeholder.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <security-role>
      <role-name>authRole</role-name>
      </security-role>
      <<<<---- cut - part of web.xml - end ---->>>>

      <<<<---- cut - part of LDIF - begin ---->>>>
      dn: uid=usera,ou=people,dc=acorp,dc=com
      changetype: add
      objectclass: top
      objectclass: person
      objectclass: organizationalPerson
      objectclass: inetOrgPerson
      uid: usera
      mail: usera@acorp.com
      cn: Authorized User
      sn: User
      userpassword: {SSHA}/J+00NUgSWm/iM1KIiR2GuR+E+ugezfz

      dn: uid=userb,ou=people,dc=acorp,dc=com
      changetype: add
      objectclass: top
      objectclass: person
      objectclass: organizationalPerson
      objectclass: inetOrgPerson
      uid: userb
      mail: userb@acorp.com
      cn: Nonauthorized User
      sn: User
      userpassword: {SSHA}XYOUSJ7BcSHQ+5viFT8Zzoo6Mb3dGoLn

      dn: cn=authRole,ou=roles,dc=acorp,dc=com
      changetype: add
      objectclass: top
      objectclass: groupofuniquenames
      cn: authRole
      description: Group of users with access to app
      uniqueMember: uid=usera,ou=people,dc=acorp,dc=com
      <<<<---- cut - part of LDIF - end---->>>>