8607 – Valid User, invalid role, results in msg 403, then incorrect operation

Bug 8607 - Valid User, invalid role, results in msg 403, then incorrect operation

Summary: Valid User, invalid role, results in msg 403, then incorrect operation

Status:	RESOLVED INVALID

Alias:	None

Product:	Tomcat 4
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	4.0.3 Final
Hardware:	PC All

Importance:	P3 normal with 1 vote (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2002-04-28 19:08 UTC by David Farb
Modified:	2005-03-20 17:06 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Farb 2002-04-28 19:08:12 UTC

If a valid user, with an invalid role attempts to access a protected area, the 
error page is NOT produced, instead msg 403 returns to the user. Subsequent 
attempts to login with a VALID user id return:

Apache Tomcat/4.0.3 - HTTP Status 404 - /jsp/security/protected/j_security_check
--------------------------------------------------------------------------------
type Status report
message /jsp/security/protected/j_security_check
description The requested resource (/jsp/security/protected/j_security_check) 
is not available.

Note that attempts to access with a user id which is NOT in the tomcat-users 
file works as expected: the error page is produced.

Reproduction scenario:

1. Install Tomcat 4.0.3 right out of the box.
2. Add a single user:  <user name="fred"   password="flint"  
roles="standard,manager" /> to tomcat-users.xml
3. Attempt to access the examples/jsp/security/protected with valid user tomcat.
  This will work.
4. Attempt to access the examples/jsp/security/protected with user fred/flint, 
get message 403:

Apache Tomcat/4.0.3 - HTTP Status 403 - Access to the requested resource has 
been denied
--------------------------------------------------------------------------------
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource 
has been denied) has been forbidden.

5. Attempt access again using tomcat/tomcat, get message 404 as above. Further 
attempts at access fail as well. 


See also Tomcat user list emails:

From: "Christopher Pennock"
Subject:  FORM login with wrong role gets 404, not error page - bug?
Date:  Tue, 5 Feb 2002 12:21:49 -0500

From: Victoria Einarsson
Subject:  wrong user role => Error 403 instead of redirecting to
    Form-Error-Page
Date:  Thu, 10 Jan 2002 11:34:00 +0100

Comment 1 Mark Thomas 2003-12-20 22:35:14 UTC

This behaviour is as per the spec.

The 403 is the correct response to a valid user that is not authorised to 
access the requested resource. Once a valid user has logged in, they stay 
logged in until the sesison ends (timeout or the browser is closed).

Trying to access the login page directly is not an accepted way of trying to 
changing the current user (or even to login in the first place) and therefore 
results in the 404.

Comment 2 Teissere 2004-09-17 16:05:21 UTC

Why can't we use the directive <error-code>403 in order to redirect the error 
on our own error page

Comment 3 Mark Thomas 2004-09-18 20:47:58 UTC

Please ask questions like this on the tomcat-user mailing list rather than hi-
jacking bug reports.