URL Authorization Failures - Login Prompt Behavior
Given a web application W1 with two sets of (directories) of URL resources. First directory is protected with Role R1 mapped go Group Principal G1. Second directory is protected with Role R2 mapped to Principal G2. I hit a resource in first directory and am prompted for login. I login to a user account that has G1 but not G2. So I can get to the URL in the first directory. Then I try to hit a URL in the second directory. Authorization fails and I'm once again prompted for a logon.
A few questions related to this:
1. If I login with a different account, an entirely new subject is created but hooked to the existing HTTP session?
2. My original subject is gone, i.e. there is no stack of subjects and a way to revert to the previous subject?
3. Is there any way to change this behavior such that once I successfully logon to the web app, that's it. If my account does not give me the groups to hit certain URL resources in the app, I get a 403 not authorized instead of the re-prompt for login?
Thanks in advance for any information,
Re: URL Authorization Failures - Login Prompt Behavior
1. Yes, I believe that that's the case
2. There is a stack of subjects, but it's not being used in this case.
3. Don't use http basic or digest authentication (modify your web.xml). Write a ServletFilter that sends unauthenticated users to the login page. Once Logged In, that's it, no re-login in case of a security exception.