You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by "Bragg, Casey" <Ca...@allegiancetelecom.com> on 2001/08/28 07:09:08 UTC

Follow Up: 403 error-page N/W

I found one more detail...

My 403 error page works if the 403 is caused by a filter, but it doesn't
work if caused by JDBCRealm.

consider the file /secured/junk.html
- which is protected by a security constraint which is Form based and tied
to JDBCRealm (I'm sure that's bad wording... I hope you get the idea...)
- if I login as a user with the correct role to access /secured/junk.html,
but I force my filter to cause a 403 for that file, my 403 error page is
displayed correctly.
- if I login as a user WITHOUT the correct role to access
/secures/junk.html, my custom 403 error page is NOT accessed.
- if I login as a user WITHOUT the correct role to access
/secures/junk.html, and I force my filter to cause a 403 for that file, my
custom 403 error page is still NOT accessed.

Hopefully I've given some good clues now...

Thanks.. 
...Casey



-----Original Message-----
From: Bragg, Casey [mailto:Casey.Bragg@allegiancetelecom.com]
Sent: Monday, August 27, 2001 8:56 PM
To: tomcat-dev@jakarta.apache.org
Subject: 403 error-page N/W : I guess its just me


Is it just me?  Does anybody have tomcat working with a custom 403 page?  If
not, this seems like a big problem.  

Any help greatly appreciated... This is really screwing up my login flow.

Thanks... 

...Casey

>From Sunday's post...

I'm trying to get tomcat to use my 403 forbidden error page.  I've had no
luck with it so far.  My 404 page works fine.  I have this problem even if I
turn off IE friendly error messages.

Using tomcat 4.0b7, JDBCRealm (against mySQL), running on Linux.

from web-xml :

   <error-page>
      <error-code>404</error-code>
      <location>/security/status/notfound.jsp</location>
   </error-page>   

   <error-page>
      <error-code>403</error-code>
      <location>/security/status/forbidden.jsp</location>
   </error-page>



from localhost_access_log : 

(Here's where I hit a forbidden page)...
192.168.1.100 - - [26/Aug/2001:13:14:13 -0600] "POST
/security/j_security_check
HTTP/1.1" 302 -
192.168.1.100 - guest [26/Aug/2001:13:14:13 -0600] "GET /secured/index.jsp
HTTP/
1.1" 403 -

(Here's where I hit a page that doesn't exist)...
192.168.1.100 - guest [26/Aug/2001:13:14:30 -0600] "GET /asdasdas HTTP/1.1"
200
1561


from catalina.out

XmlMapper: new null org.apache.catalina.deploy.ErrorPage error-page
ErrorPage[er
rorCode=0, location=null]
XmlMapper: org.apache.catalina.deploy.ErrorPage.setErrorCode( 403)
XmlMapper: org.apache.catalina.deploy.ErrorPage.setLocation(
/security/status/fo
rbidden.jsp)
XmlMapper: Calling org.apache.catalina.core.StandardContext.addErrorPage
ErrorPa
ge[errorCode=403, location=/security/status/forbidden.jsp]
XmlMapper: pop error-page org.apache.catalina.deploy.ErrorPage:
ErrorPage[errorC
ode=403, location=/security/status/forbidden.jsp]

Re: Follow Up: 403 error-page N/W

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Tue, 28 Aug 2001, Bragg, Casey wrote:

> Date: Tue, 28 Aug 2001 00:09:08 -0500
> From: "Bragg, Casey" <Ca...@allegiancetelecom.com>
> Reply-To: tomcat-dev@jakarta.apache.org
> To: tomcat-dev@jakarta.apache.org
> Subject: Follow Up: 403 error-page N/W
>
> I found one more detail...
>
> My 403 error page works if the 403 is caused by a filter, but it doesn't
> work if caused by JDBCRealm.
>

That makes sense, given the current implementation of error pages.

Right now, it's performed immediately after the filter chain returns --
but the processing is already done by the time the JDBCRealm valve can
throw a 403 error.  This will take some slight refactoring to fix.

Craig