You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2001/10/05 20:06:00 UTC

DO NOT REPLY [Bug 3993] - j_security_check gives 403 error

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3993>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3993

j_security_check gives 403 error





------- Additional Comments From craig.mcclanahan@sun.com  2001-10-05 11:05 -------
Could you please provide a small webapp that illustrates this problem?

As background information, Tomcat's authenticator sends SC_FORBIDDEN (403) only
under the following circumstances:

* Request URI is protected by a security constraint that has an
  <auth-constraint> with no roles listed (i.e. no access at all is allowed
  to anyone)

* Request URI is protected by a security constraint that has an
  <auth-constraint> with one or more roles listed, and the
  authenticated user does not have one of those roles

* Request URI is protected by a security constraint that has a
  <user-data-constraint> requiring SSL, but redirection to the
  corresponding SSL port has been disabled.

Also, please ensure that your form login page is submitting *exactly* to
"j_security_check", as required by the Servlet Specification, version 2.3,
section 12.5.3.1.  Any other pattern will not be recognized by the logic that
makes this work even if the form login page is inside the area protected by a
security constraint.