I have two different security constraints in my web app deployed on Apache tomcat 6. And tomcat is handling different authentication scenarios for my website.
My Problem: E.g. page1 is accessible to only user1 and page2 is only accessible to user2. This is working fine.
The problem is if user1 is logged in, and he accesses page2 (which is not accessible to user1) then access denied error is presented to him instead of allowing him to login as different user. Authentication challenge should be presented if logged in user is
This behavior is mandated by the servlet specification. As suggested by @Rob, you should present your users with some options for dealing with the "unauthorized" condition: for example, logging-out and trying to access the resource again (which will ask for new credentials).