Roles & Tomcat

Sun, 06 May 2001 10:43:39 -0700 

Sorry if this is a repost, I'm having trouble with mail


Hi,

I'm observing some unexpected behaviour in Tomcat (3.2.1) in conjuction with 
roles. This is the situation: (web.xml is at the bottom)

two roles:
Customer
Gold Customer

a user:
Joe Bloggs

Joe is a "Customer" but not a "Gold Customer"

This is what I observe:

1) new browser (not logged in) browse to /control/CustomerSecurePage
2) browser is redirected to /login.jsp
3) Joe logs in and is redirected to /control/CustomerSecurePage
4) browse to /control/GoldSecurePage
5) browser redirected to /control/loginerror
6) Joe is now logged out, any subsequent attempts to browse to a page secured by
the "customer" role results in a redirection to the login page.

Is this correct behaviour? I would have expected an attempt to access to the
gold url to have denied access but not to have logged the user out!

Any thoughts? Thanks in advance,

Nathan

this is the relevant section of web.xml:

****************************************************************

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>MySecureBit0</web-resource-name>
        <description>no description</description>
        <url-pattern>/control/GoldSecurePage</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>no description</description>
        <role-name>gold</role-name>
      </auth-constraint>
    </security-constraint>

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>MySecureBit1</web-resource-name>
        <description>no description</description>
        <url-pattern>/control/CustomerSecurePage</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>no description</description>
        <role-name>customer</role-name>
      </auth-constraint>
    </security-constraint>

    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>TheGiftStore</realm-name>
      <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/control/loginerror</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
      <description>the customer role</description>
      <role-name>customer</role-name>
    </security-role>
    <security-role>
      <description>the gold customer role</description>
      <role-name>gold</role-name>
    </security-role>

****************************************************************

Reply via email to