I am using form-based authentication under Tomcat 3.2.3. I have 3 security-constraint sections in web.xml for 3 different user roles. If an already authenticated user selects a page to which he is not authorized, he is redirected to the form-error-page (I thought this should be a 403-Forbidden error instead), and his authentication is invalidated. (A getRemoteUser() call returning null at this point verifies this).
The implication of this, is that he can no longer select any pages that he IS authorized for, and must re-login. Is this a known bug with Tomcat 3.2.3, expected behavior, or is there a configuration setting I am missing? Thanks in advance, Scott -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
