0
votes

My app is a Java EE 6 application, running on Glassfish 3.0.1.

I'm using Java EE Security, with a JDBC Realm. So i added restrictions to some of my web pages. I added the following login-config and security-constraint to my web.xml:

<!-- Redirect access of restricted pages to index.jsp -->
<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>jdbc</realm-name>
  <form-login-config>
    <form-login-page>/index.jsp?login=login</form-login-page>
    <form-error-page>/index.jsp?login=error</form-error-page>
  </form-login-config>
</login-config>

<!-- Restrict access for deanery related resources -->
<security-constraint>
  <display-name>Deanery Constraint</display-name>
  <web-resource-collection>
    <web-resource-name>Deanery Content</web-resource-name>
    <description />
    <url-pattern>/deanery/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <description />
    <role-name>DEANERY</role-name>
  </auth-constraint>
</security-constraint>

This works fine if a user is logged out. If he tries to access a page in /deanery/, he is redirected to the index.jsp (which redirects to jsf).

When a user logs in, getting the right role, he can successfully access the restricted resources. So everything is fine until here.

Now the problem: When a user with lesser rights (in my example a student) logs into the application, and tries to access a restricted page, he is NOT redirected to the error-page thats configured in my web.xml. Instead, he is shown an ugly Glassfish 403 page:

HTTP Status 403 - Access to the requested resource has been denied

Unfortunately, there seems no option to catch the exception in my CustomExceptionHandler. It even isn't shown in my server.log (although i switched to the finest level).

What can i do so the user is redirected to my error page, instead of displaying the 403 page? Why isn't the user redirected to the index.jsp, as he is when he is logged out???

EDIT:

Just tried to add an error-page with the corresponding code to my web.xml.

<error-page>
  <error-code>403</error-code>
  <location>/index.jsp?login=login</location>
</error-page> 

No effect, still the Glassfish error-page instead of my own.

2

2 Answers

0
votes

I am just a newbie in javaEE but I think the problem is that the container redirects the users just after a 401 HTTP error, when he is not authorized. 403 Error means the it knows the username/pwd but it is not suitable for that resource.

So I would try to write a filter for this 403 error and redirect manually. Or you should hide the link to this page to students if this is possible.

0
votes

Try 403 error redirect to different page than index.jsp that will display error message.