I'm trying to set up form-based authentication in a JSF Application on
Tomcat 5.5.4. I've got a login page, a welcome page and an error page. On
entering the right username and password I get redirected to welcome.jsp.
On entering the wrong credentials IE displays my custom error.html with a
link back to login.html where I can try with the right password again. So
far so good.

Firefox 2.0, however, displays "HTTP Status 403 - Access to the requested
resource has been denied" if the wrong credentials are entered. I can't get
back to the login page anymore, even with the back button in the browser.
Logging in with the correct credentials works as expected.

I understand that Tomcat forwards control to the error page configured in
web.xml if authentication fails. I can't see any browser dependency here.
Or does it do a redirect, i.e. go back to the browser first?

When setting up the application I followed Sun's Java 5 EE Tutorial
(Chapter 30: Securing Web Applications) leaving out the mapping of roles to
user groups as I haven't got any server groups.

The settings in the Tomcat admin application, which works fine, seem to be
equivalent to mine although hard to compare as it is Struts and mine is JSF.

I've got an index.jsp file which takes me into the faces context. Could
that cause problems?

Help is appreciated very much.
Marcel


<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>sec24</display-name>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<security-role-ref>
<role-name>loginUser</role-name>
<role-link>loginUser</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>loginUser</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>security</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>loginUser</role-name>
</security-role>
</web-app>




--
dipl. geogr. Marcel Frehner
Wissenschaftlicher Mitarbeiter
Eidgenössische Forschungsanstalt für Wald, Schnee und Landschaft WSL
Abteilung Landschaftsinventuren
Zürcherstrasse 111
8903 Birmensdorf

Tel. +41-44-739 26 83
marcel.frehner@(protected)
http://www.wsl.ch

----------------------------


---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)