Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the <security-constraint/> in my web app web.xml file.
>From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. <error-page> <error-code>403</error-code> <location>/dates/date.jsp</location> </error-page> <security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/security/protected/*</url-pattern> </web-resource-collection> </security-constraint> I believe the constraint is working, but I don't think the <error-page/> is "catching" the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the <content/>: <content> You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. </content> I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using "You are logged in as remote user null in session" and no matches were found. Any help would be greatly appreciated. /robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]