Curtis Garman wrote:
I'm interested in what others have to say about this too...for
instance there is no provision for disabling an account either...if
the account exists you can login with it.
I'm not sure I understand the second part of your question about
authorization...do yo mean authorization or authentication?...if you
really mean authentication, it sounds to me like you don't have
something set up correctly...you should be getting a 403 access denied
in both firefox and ie if login fails. Authorization has nothing to do
with form based authentication and would be handled by the container
based on the roles you create.
Curtis
I mean't authorization. Consider a scenario as follows. There are two users,
admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has
rights to both the pages but user can access only userPage.jsp. Lets assume
that the user logs in as user (not admin) and accesses userPage.jsp. It is
fine upto this point because user has access to userPage.jsp. But what
happens if the user tries to access adminPage.jsp for which he is not
authorized. As you have indicated it should fail through 403 access denied.
But, I am getting HTTP 404 - File not found in IE and blank page in
Mozilla.
--
View this message in context:
http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25975955.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org