I have found what I think is a bug in form based login. A user who is in the
user database attempts a valid login, but the role of the user does not
match one of the roles of the protected area. This has been mentioned a
couple of times before in e-mails on this list, but has never been filed as
a bug as far as I can see.
To reproduce:
1. Install Tomcat 4.0.3 right from the box.
2. Add the user: <user name="fred" password="flint"
roles="standard,manager"> to the tomcat-users.xml file in conf.
3. Start tomcat, and access the examples/jsp/security/protected example.
4. Try to login as tomcat/tomcat. Works fine.
5. Logout and login as fred/flint and you DON'T get the error page,
instead you get message 403.
6. All subsequent attempts to login, even with valid tomcat/tomcat ids
get message 404 about j_security_check.
Now I am somewhat of an amatuer on Tomcat, so I am willing to believe it is
a configuration problem, but the only thing I changed was the addition of
the user "fred".
Anyone else have this problem? I could find only one other bug along these
lines, but it didn't seem related.
Others with a similar problem:
From: "Christopher Pennock"
Subject: FORM login with wrong role gets 404, not error page - bug?
Date: Tue, 5 Feb 2002 12:21:49 -0500
From: Victoria Einarsson
Subject: wrong user role => Error 403 instead of redirecting to
Form-Error-Page
Date: Thu, 10 Jan 2002 11:34:00 +0100
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
