Greetings,
I'm new to Tomcat and this mailing list, and have a question
regarding configuring Tomcat to simply disallow access to .jsp pages
which I have been protected via the <security-constraint/> in my web app
web.xml file.
>From what I understand, the following should do the trick and cause
a 403 error to be sent to the browser by the container. I would like
to trap that error code and display a user friendly page (I chose any page
so I would know it's working).
I've simply modified the Tomcat jsp-examples web app. Here's a snippet
of the necessary artifacts in the web.xml file.
<error-page>
<error-code>403</error-code>
<location>/dates/date.jsp</location>
</error-page>
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/security/protected/*</url-pattern>
</web-resource-collection>
</security-constraint>
I believe the constraint is working, but I don't think the
<error-page/> is "catching" the 403 status code. This is probably
because a 403 status code is not returned, but rather a 200 (I verified
this by looking at the response headers).
Anyhow, the content of the returned page is below within the <content/>:
<content>
You are logged in as remote user null in session
D97EE937BEC953A7E82E42B3956AED86
No user principal could be identified.
To check whether your username has been granted a particular role, enter it
here:
If you have configured this app for form-based authentication, you can log off
by
clicking here. This should cause you to be returned to the logon page after the
redirect that is performed.
</content>
I'm sure this has happened to someone else, I just cannot find where.
I googled and didn't come up with much. I searched the archives using
"You are logged in as remote user null in session" and no matches were
found.
Any help would be greatly appreciated.
/robert
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
