You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "vals@internode" <va...@internode.on.net> on 2006/06/09 06:32:39 UTC
Tomcat 5.5.17 protected pages JSP examples with valid user and invalid role results in msg 403.
Hi,
I am having problem with Tomcat 5.5.17 jsp example of accessing protected
pages
(example: http://localhost:8080/jsp-examples/security/protected/)
Logging with valid user and role: user/password/role="tomcat/tomcat/tomcat"
works fine.
Logging with a valid user and invalid role
(user/password/role="role1/tomcat/role1") results in msg 403
(HTTP Status 403 - Access to the requested resource has been denied).
I am using supplied tomcat-users.xml.
Before experimenting I made this role (role1) invalid by editing
webapps/jsp-examples/WEB-INF/web.xml file like:
...
<auth-constraint>
<role-name>tomcat</role-name>
<!-- role-name>role1</role-name -->
</auth-constraint>
...
After receiving msg 403 applicatin will not work even with the valid user
role (msg 403 produced).
I found the same problem for Tomcat4 reported at:
http://mail-archives.apache.org/mod_mbox/tomcat-dev/200204.mbox/%3C20020428190814.1943.qmail@nagoya.betaversion.org%3E
I also have seen somewhere that it was reported to be fixed for Tomcat4.
Did the old problem penetrate to Tomcat 5.5.17 or
did I forget to configure something?
Regards,
Val.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.17 protected pages JSP examples with valid user and invalid role results in msg 403.
Posted by "vals@internode" <va...@internode.on.net>.
Hi, Reinhard,
> - Error 403 seems completely suitable from your words
I think that normal error page, configured in web.xml <form-error-page> tag
will be more logical.
> - Browsers always store Login Info until the browser windows is closed
> (No session here, this applies only to basic-auth!)
> With form auth: you can alyways provide a logout-button
And this logout-button will invalidate session, right?
But this will not stop msg403 to appear after 1st incorrect role attempt, as
I mentioned before.
I was using standard example with form auth!
> - If Standard-errorpage is too unfriendly, provide a custom error page
Yes it is possible, I forgot about <error-page> tag, thank you.
But still, problems mentioned above prevail.
Regards,
Val.
>
> If you think tomcat forgot to handle the 403, provide a page which handles
> this error and let the user log out continue to another page.
>
> It is not illogical, because your case is rare enough to not be handled by
> default. Let us know, if this is good enough for you.
>
> regards,
>
>
> R.
>
> Am Dienstag, 13. Juni 2006 09:59 schrieb vals@internode:
>> Hi,
>> I received a response from Mark to the problem described below,
>> which was: "not an issue"/"as per specs".
>> Does not look like that to me, because:
>>
>> 1) After trying to login as a valid user and receiving 403 msg,
>> you can not login with a valid user role even after invalidating the
>> session.
>> So what is the user supposed to do (after entering username with
>> incorrect
>> role)?
>> a. Ask maintenance team to restart application?
>> b. Clean the cookies? (most users do not even know what the cookie is)
>> These are the only things that will allow him to access the page again.
>> How can this behavior be "not an issue"?
>>
>> 2) msg 403 as a per specs response for users attempt to access
>> protected page with valid user and invalid role does not look logical.
>> Reason:
>> a. after entering completely wrong username user is redirected to
>> reasonably friendly custom error page.
>> b. after entering correct username with incorrect role user sees
>> unfriendly msg 403.
>> Reaction to smaller mistake (case b) is less user friendly that for
>> case a.
>> This seems illogical.
>>
>> Regards,
>> Val.
>>
>>
>> ----- Original Message -----
>> From: "Mark Thomas" <ma...@apache.org>
>> To: "Tomcat Users List" <us...@tomcat.apache.org>
>> Sent: Friday, June 09, 2006 21:04
>> Subject: Re: Tomcat 5.5.17 protected pages JSP examples with valid user
>> and
>> invalid role results in msg 403.
>>
>> > vals@internode wrote:
>> >> Hi,
>> >>
>> >> I am having problem with Tomcat 5.5.17 jsp example of accessing
>> >> protected pages
>> >> (example: http://localhost:8080/jsp-examples/security/protected/)
>> >>
>> >> Logging with valid user and role:
>> >> user/password/role="tomcat/tomcat/tomcat" works fine.
>> >> Logging with a valid user and invalid role
>> >> (user/password/role="role1/tomcat/role1") results in msg 403
>> >> (HTTP Status 403 - Access to the requested resource has been denied).
>> >> I am using supplied tomcat-users.xml.
>> >>
>> >> Before experimenting I made this role (role1) invalid by editing
>> >> webapps/jsp-examples/WEB-INF/web.xml file like:
>> >> ...
>> >> <auth-constraint>
>> >> <role-name>tomcat</role-name>
>> >> <!-- role-name>role1</role-name -->
>> >> </auth-constraint>
>> >> ...
>> >>
>> >> After receiving msg 403 applicatin will not work even with the valid
>> >> user role (msg 403 produced).
>> >>
>> >> I found the same problem for Tomcat4 reported at:
>> >> http://mail-archives.apache.org/mod_mbox/tomcat-dev/200204.mbox/%3C20020
>> >>428190814.1943.qmail@nagoya.betaversion.org%3E
>> >
>> > This was resolved as INVALID. See
>> > http://issues.apache.org/bugzilla/show_bug.cgi?id=8607
>> >
>> >> I also have seen somewhere that it was reported to be fixed for
>> >> Tomcat4.
>> >
>> > Not fixed, it was never an issue. See above.
>> >
>> >> Did the old problem penetrate to Tomcat 5.5.17 or
>> >> did I forget to configure something?
>> >
>> > No, there isn't am issue.
>> >
>> > Mark
>> >
>> > ---------------------------------------------------------------------
>> > To start a new topic, e-mail: users@tomcat.apache.org
>> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> > For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.17 protected pages JSP examples with valid user and invalid role results in msg 403.
Posted by Reinhard Moosauer <rm...@moosauer.de>.
Hi,
please consider the following:
- Error 403 seems completely suitable from your words
- Browsers always store Login Info until the browser windows is closed
(No session here, this applies only to basic-auth!)
With form auth: you can alyways provide a logout-button
- If Standard-errorpage is too unfriendly, provide a custom error page
If you think tomcat forgot to handle the 403, provide a page which handles
this error and let the user log out continue to another page.
It is not illogical, because your case is rare enough to not be handled by
default. Let us know, if this is good enough for you.
regards,
R.
Am Dienstag, 13. Juni 2006 09:59 schrieb vals@internode:
> Hi,
> I received a response from Mark to the problem described below,
> which was: "not an issue"/"as per specs".
> Does not look like that to me, because:
>
> 1) After trying to login as a valid user and receiving 403 msg,
> you can not login with a valid user role even after invalidating the
> session.
> So what is the user supposed to do (after entering username with incorrect
> role)?
> a. Ask maintenance team to restart application?
> b. Clean the cookies? (most users do not even know what the cookie is)
> These are the only things that will allow him to access the page again.
> How can this behavior be "not an issue"?
>
> 2) msg 403 as a per specs response for users attempt to access
> protected page with valid user and invalid role does not look logical.
> Reason:
> a. after entering completely wrong username user is redirected to
> reasonably friendly custom error page.
> b. after entering correct username with incorrect role user sees
> unfriendly msg 403.
> Reaction to smaller mistake (case b) is less user friendly that for
> case a.
> This seems illogical.
>
> Regards,
> Val.
>
>
> ----- Original Message -----
> From: "Mark Thomas" <ma...@apache.org>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Friday, June 09, 2006 21:04
> Subject: Re: Tomcat 5.5.17 protected pages JSP examples with valid user and
> invalid role results in msg 403.
>
> > vals@internode wrote:
> >> Hi,
> >>
> >> I am having problem with Tomcat 5.5.17 jsp example of accessing
> >> protected pages
> >> (example: http://localhost:8080/jsp-examples/security/protected/)
> >>
> >> Logging with valid user and role:
> >> user/password/role="tomcat/tomcat/tomcat" works fine.
> >> Logging with a valid user and invalid role
> >> (user/password/role="role1/tomcat/role1") results in msg 403
> >> (HTTP Status 403 - Access to the requested resource has been denied).
> >> I am using supplied tomcat-users.xml.
> >>
> >> Before experimenting I made this role (role1) invalid by editing
> >> webapps/jsp-examples/WEB-INF/web.xml file like:
> >> ...
> >> <auth-constraint>
> >> <role-name>tomcat</role-name>
> >> <!-- role-name>role1</role-name -->
> >> </auth-constraint>
> >> ...
> >>
> >> After receiving msg 403 applicatin will not work even with the valid
> >> user role (msg 403 produced).
> >>
> >> I found the same problem for Tomcat4 reported at:
> >> http://mail-archives.apache.org/mod_mbox/tomcat-dev/200204.mbox/%3C20020
> >>428190814.1943.qmail@nagoya.betaversion.org%3E
> >
> > This was resolved as INVALID. See
> > http://issues.apache.org/bugzilla/show_bug.cgi?id=8607
> >
> >> I also have seen somewhere that it was reported to be fixed for Tomcat4.
> >
> > Not fixed, it was never an issue. See above.
> >
> >> Did the old problem penetrate to Tomcat 5.5.17 or
> >> did I forget to configure something?
> >
> > No, there isn't am issue.
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.17 protected pages JSP examples with valid user and invalid role results in msg 403.
Posted by "vals@internode" <va...@internode.on.net>.
Hi,
I received a response from Mark to the problem described below,
which was: "not an issue"/"as per specs".
Does not look like that to me, because:
1) After trying to login as a valid user and receiving 403 msg,
you can not login with a valid user role even after invalidating the
session.
So what is the user supposed to do (after entering username with incorrect
role)?
a. Ask maintenance team to restart application?
b. Clean the cookies? (most users do not even know what the cookie is)
These are the only things that will allow him to access the page again.
How can this behavior be "not an issue"?
2) msg 403 as a per specs response for users attempt to access
protected page with valid user and invalid role does not look logical.
Reason:
a. after entering completely wrong username user is redirected to
reasonably friendly custom error page.
b. after entering correct username with incorrect role user sees
unfriendly msg 403.
Reaction to smaller mistake (case b) is less user friendly that for case
a.
This seems illogical.
Regards,
Val.
----- Original Message -----
From: "Mark Thomas" <ma...@apache.org>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Friday, June 09, 2006 21:04
Subject: Re: Tomcat 5.5.17 protected pages JSP examples with valid user and
invalid role results in msg 403.
> vals@internode wrote:
>> Hi,
>>
>> I am having problem with Tomcat 5.5.17 jsp example of accessing
>> protected pages
>> (example: http://localhost:8080/jsp-examples/security/protected/)
>>
>> Logging with valid user and role:
>> user/password/role="tomcat/tomcat/tomcat" works fine.
>> Logging with a valid user and invalid role
>> (user/password/role="role1/tomcat/role1") results in msg 403
>> (HTTP Status 403 - Access to the requested resource has been denied).
>> I am using supplied tomcat-users.xml.
>>
>> Before experimenting I made this role (role1) invalid by editing
>> webapps/jsp-examples/WEB-INF/web.xml file like:
>> ...
>> <auth-constraint>
>> <role-name>tomcat</role-name>
>> <!-- role-name>role1</role-name -->
>> </auth-constraint>
>> ...
>>
>> After receiving msg 403 applicatin will not work even with the valid
>> user role (msg 403 produced).
>>
>> I found the same problem for Tomcat4 reported at:
>> http://mail-archives.apache.org/mod_mbox/tomcat-dev/200204.mbox/%3C20020428190814.1943.qmail@nagoya.betaversion.org%3E
>
> This was resolved as INVALID. See
> http://issues.apache.org/bugzilla/show_bug.cgi?id=8607
>
>> I also have seen somewhere that it was reported to be fixed for Tomcat4.
>
> Not fixed, it was never an issue. See above.
>
>>
>> Did the old problem penetrate to Tomcat 5.5.17 or
>> did I forget to configure something?
>
> No, there isn't am issue.
>
> Mark
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.17 protected pages JSP examples with valid user and
invalid role results in msg 403.
Posted by Mark Thomas <ma...@apache.org>.
vals@internode wrote:
> Hi,
>
> I am having problem with Tomcat 5.5.17 jsp example of accessing
> protected pages
> (example: http://localhost:8080/jsp-examples/security/protected/)
>
> Logging with valid user and role:
> user/password/role="tomcat/tomcat/tomcat" works fine.
> Logging with a valid user and invalid role
> (user/password/role="role1/tomcat/role1") results in msg 403
> (HTTP Status 403 - Access to the requested resource has been denied).
> I am using supplied tomcat-users.xml.
>
> Before experimenting I made this role (role1) invalid by editing
> webapps/jsp-examples/WEB-INF/web.xml file like:
> ...
> <auth-constraint>
> <role-name>tomcat</role-name>
> <!-- role-name>role1</role-name -->
> </auth-constraint>
> ...
>
> After receiving msg 403 applicatin will not work even with the valid
> user role (msg 403 produced).
>
> I found the same problem for Tomcat4 reported at:
> http://mail-archives.apache.org/mod_mbox/tomcat-dev/200204.mbox/%3C20020428190814.1943.qmail@nagoya.betaversion.org%3E
This was resolved as INVALID. See
http://issues.apache.org/bugzilla/show_bug.cgi?id=8607
> I also have seen somewhere that it was reported to be fixed for Tomcat4.
Not fixed, it was never an issue. See above.
>
> Did the old problem penetrate to Tomcat 5.5.17 or
> did I forget to configure something?
No, there isn't am issue.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org