tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thiago Veronezi <>
Subject Re: Bug in security TomEE
Date Fri, 06 Sep 2013 18:38:38 GMT
Authentication and authorization are two different things.
If you try to access a protected resource and you are not authenticated,
the server will ask for your username.password. After having you
authenticated, the server will check if your user is authorized to access
the requested resource. If you are not authorized, it will throw a 403
exception, but you will still be authenticated.

If you after having a 403 you can't access what you are supposed to have
access to, then we have an issue. :)
Is that it?


On Fri, Sep 6, 2013 at 2:21 PM, kuba44 <> wrote:

> Yes, I'm authenticated but not authorized.
> But information about my 'not authorization' is remember, so i can't try to
> login again. I have to invalidate session like when i login with success,
> like i would be authorized.
> Do you understood?
> --
> View this message in context:
> Sent from the OpenEJB User mailing list archive at

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message