java ee - JavaEE Security,Access restricted pages: Logged out user is redirected correctly. Logged in user is not -
My app is a Java EE6 application that is running on Glassfish 3.0.1.
I used JavaEE security with the JDBC region, so I added restrictions on some of my web pages. I've added the following login-configuration and security barrier in my web.xml:
& lt ;! Index.jsp of restricted pages - & gt; & Lt; Login to- config & gt; & Lt; Auth-Method & gt; Form & lt; / Auth-method & gt; & Lt; Radius name & gt; JDBC & lt; / Circle-name & gt; & Lt; Form login-config & gt; & Lt; Form login page & gt ;? /index.jsp login = login & lt; / Farm Login Page & gt; & Lt; Form error page & gt; /index.jsp login = error & lt ;? / Form error page & gt; & Lt; / Form login-config & gt; & Lt; / Login-config & gt; & Lt ;! - Restrict access to dairy related resources - & gt; & Lt; Security-lock & gt; & Lt; Display-name & gt; Deanie Obligation & lt; / Display-name & gt; & Lt; Web resource collection & gt; & Lt; Web-Resource-Name & gt; Dairy content & lt; / Web-resource-name & gt; & Lt; Details / & gt; & Lt; URL pattern & gt; / Dean's post / * & lt; / URL pattern & gt; & Lt; / Web resource collection & gt; & Lt; Auth-obstructing & gt; & Lt; Details / & gt; & Lt; Role Name & gt; Dean's post & lt; / Role Name & gt; & Lt; / Auth-Barrier & gt; & Lt; / Safety-barrier & gt;
This works fine when the user is logged out. If he tries to enter a page / diner, he takes it to index.jsp (which redirects to JSF).
When a user logs in, after obtaining the correct role, he successfully restricts the resource now everything is fine.
Issue Now: When a user with low rights (a student in my example) logs in the application, and tries to reach the restricted page, then it does not redirect it to my web.xml The configured error page, instead, shows an ugly glassfish 403 page:
< P> Unfortunately, no options seem to be This is not shown in my server.log to catch my exception (though I'm switching to the best level).HTTP status 403 - Access to the requested resource has been denied
Can I redirect the user to my error page instead of displaying a 403 page? Why is the user not redirected to index.jsp, when he is logged out, then that happens ???
Edit:
Just tried to add an error page with the code in my web.xml
& lt; Error page & gt; & Lt; Error code & gt; 403 & lt; / Error code & gt; & Lt; Location & gt; /index.jsp login = login & lt; / Location & gt; & Lt; / Error page & gt;
No matter, still the Glassfish error page instead of my own.
I'm just a newbie in Java but I think the problem is that the container user will get 401 HTTP Redirects after an error, when it is not authorized. A 403 error means that it knows the username / pwd but it is not suitable for that resource.
So I try to write a filter for this 403 error and manually redirect. Or if this is possible, then you should hide the links to this page to the students.
Comments
Post a Comment