On Fri, 16 Aug 2002, Scott Dayberry wrote:
> Date: Fri, 16 Aug 2002 09:31:38 -0600
> From: Scott Dayberry <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: getRemoteUser() reset to null after authenticated user hits an
> unauthorized page
>
> I am using form-based authentication under Tomcat 3.2.3.
>
> I have 3 security-constraint sections in web.xml for 3 different user roles.
> If an already authenticated user selects a page to which he is not
> authorized, he is redirected to the form-error-page (I thought this should
> be a 403-Forbidden error instead), and his authentication is invalidated.
> (A getRemoteUser() call returning null at this point verifies this).
>
> The implication of this, is that he can no longer select any pages that he
> IS authorized for, and must re-login. Is this a known bug with Tomcat 3.2.3,
> expected behavior, or is there a configuration setting I am missing?
>
Sounds like a bug in 3.2.3 (which is pretty ancient, by the way). I think
3.2.3 also failed to return getRemoteUser() correctly when you
successfully log on, and then navigate to a URL not protected by a
security constraint. Tomcat 4.0 and 4.1 handle that situation correctly.
> Thanks in advance,
> Scott
>
Craig
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
