I have following security constraint in my web.xml
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Protected Admin Area</web-resource-name>
<description/>
<url-pattern>/administrator/*</url-pattern>
<url-pattern>/faces/backend/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>administrator</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
It`s works fine. But i would like to redirect users (already logged user with some assign role but not role administrator). In this case. When user trying to access to url http://mywebap//administrator/* he get a response from server
403 Forbiden.
I would here not display this but redirect user to some more friendly view. It is possible?
Simply configure the desired page as a custom HTTP 403 error page in web.xml.
<error-page>
<error-code>403</error-code>
<location>/WEB-INF/errorpages/403.xhtml</location>
</error-page>
This assumes that you've covered *.xhtml as URL pattern of FacesServlet. And, it's being placed in /WEB-INF to prevent direct access.