tags:

views:

150

answers:

2
Q: 

JavaEE Security,Access restricted pages: Logged out user is redirected correctly. Logged in user is not.

My app is a Java EE 6 application, running on Glassfish 3.0.1.

I'm using Java EE Security, with a JDBC Realm. So i added restrictions to some of my web pages. I added the following login-config and security-constraint to my web.xml:

<!-- Redirect access of restricted pages to index.jsp -->
<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>jdbc</realm-name>
  <form-login-config>
    <form-login-page>/index.jsp?login=login</form-login-page>
    <form-error-page>/index.jsp?login=error</form-error-page>
  </form-login-config>
</login-config>

<!-- Restrict access for deanery related resources -->
<security-constraint>
  <display-name>Deanery Constraint</display-name>
  <web-resource-collection>
    <web-resource-name>Deanery Content</web-resource-name>
    <description />
    <url-pattern>/deanery/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <description />
    <role-name>DEANERY</role-name>
  </auth-constraint>
</security-constraint>

This works fine if a user is logged out. If he tries to access a page in /deanery/, he is redirected to the index.jsp (which redirects to jsf).

When a user logs in, getting the right role, he can successfully access the restricted resources. So everything is fine until here.

Now the problem: When a user with lesser rights (in my example a student) logs into the application, and tries to access a restricted page, he is NOT redirected to the error-page thats configured in my web.xml. Instead, he is shown an ugly Glassfish 403 page:

HTTP Status 403 - Access to the requested resource has been denied

Unfortunately, there seems no option to catch the exception in my CustomExceptionHandler. It even isn't shown in my server.log (although i switched to the finest level).

What can i do so the user is redirected to my error page, instead of displaying the 403 page? Why isn't the user redirected to the index.jsp, as he is when he is logged out???

EDIT:

Just tried to add an error-page with the corresponding code to my web.xml. 

<error-page>
  <error-code>403</error-code>
  <location>/index.jsp?login=login</location>
</error-page>

No effect, still the Glassfish error-page instead of my own.

A: 

I am just a newbie in javaEE but I think the problem is that the container redirects the users just after a 401 HTTP error, when he is not authorized. 403 Error means the it knows the username/pwd but it is not suitable for that resource.

So I would try to write a filter for this 403 error and redirect manually. Or you should hide the link to this page to students if this is possible.

Zoltan Balazs  2010-07-27 15:16:26
I'm already hiding the links to restricted resources. But if someone types in the address into the browser, i want him to be displayed the correct message.
ifischer  2010-07-27 15:22:19
A: 

Try 403 error redirect to different page than index.jsp that will display error message.

Gladwin Burboz  2010-08-14 01:11:56
Thats no solution for me. When i do a generic redirect for all 403 errors, i cannot log some useful informations (which restricted resource was accessed? which user? etc.) and show some of these infos to the user.
ifischer  2010-08-14 09:40:10

related questions

Can I connect to SQL Server using Windows Authentication from Java EE webapp?
Retrieve list of defined roles in java ee 5
Is the offical Sun Java EE tutorial the best way to learn how to make Java web apps?
Top reason not to use EJB 3.0 again?
JMS message receiver filtering by JMSCorrelationID
What is the default session timeout for a Java EE website?
Servlet for serving static content
Are EJB still alive ?
what is j2ee/jee?
EJB3 Transaction Propogation
Most important problem solved by EJB 3?
Which EJB 3 persisent provider should I use?
Hosting control panel with JEE Application Server support?
What is the best place to store a configuration file in a java web application (war) ?
Mixing EJB 2.x BMP entity beans with Hibernate 3.x
JEE SqlResultSetMapping Syntax problem?
Is there a simpler way to deploy to WebSphere?
Tomcat vs Weblogic JNDI Lookup
Any data-driven open source JEE5 EJB3+JSF Sample Project out there?
data 'security' with java and hibernate
JSF Lifecycle and Custom components
Are there any alternatives to Gigaspaces?
Are there any studies comparing JEE vs. .NET?
How can I override an EJB 3 session bean method with a generic argument - if possible at all?
What's your "best practice" for the first Java EE Spring project?