Authentication and authorization are two different things. If you try to access a protected resource and you are not authenticated, the server will ask for your username.password. After having you authenticated, the server will check if your user is authorized to access the requested resource. If you are not authorized, it will throw a 403 exception, but you will still be authenticated.
If you after having a 403 you can't access what you are supposed to have access to, then we have an issue. :) Is that it? So, what should I do if i want to get to protected resource, when i'm authenticated only as user and i want to get authorized as admin ? I have to logout and login again ? -- View this message in context: http://openejb.979440.n4.nabble.com/Bug-in-security-TomEE-tp4665009p4665013.html Sent from the OpenEJB User mailing list archive at Nabble.com.
