You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2001/09/28 17:48:04 UTC
DO NOT REPLY [Bug 3865] -
403 response code .
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3865>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3865
403 response code .
craig.mcclanahan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From craig.mcclanahan@sun.com 2001-09-28 08:48 -------
According to the servlet specification, the login page is only displayed if the
container does not know who the user is. Since you are already logged in, it
*does* know who you are. When it checks your roles against those required by
your security constraint, a 403 (Forbidden) error is the correct and required
response if you do not possess the appropriate role. If Tomcat 3.x did
something different, then it was broken.
Note that you can customize the look and feel of the error by registering an
error page handler for the 403 status code:
<error-page>
<error-code>403</error-code>
<location>/my-403-error-page.jsp</location>
</error-page>
in the web.xml file. The text on this page could offer a link that invalidates
the session (logging you off) and then redirects to the page you tried to access
(which will trigger the login dialog again since it is protected).
WARNING: This technique won't work in the 4.0 final release, because of a bug
in the way error pages for HTTP errors issued by the container are handled --
but this will be fixed in the upcoming 4.0.1 release.