Form based Authentication Help needed.

I am using form based authentication to validate a user logging into the website.
In the web.xml I am using code similar to the following:
<!-- LOGIN AUTHENTICATION -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>error.jsp</form-error-page>
</form-login-config>
</login-config>
When session times out, and user clicks on any link on the webpage, the user is sent to the main login page, with a new session. I need to display a message on this page stating that the session timed out due to inactivity. How can I go about doing this? Is it possible to send user to a different page with this message? Thanks in advance.

More details of this can be found in this link:
http://java.sun.com/webservices/docs/1.2/tutorial/doc/Security5.html

Similar Messages

  • Configuring tomcat for form based authentication-help badly needed

    hi , i want to have form based or some other way of authentication for the users comming to my site , i have access only to web.xml , but in tomcat documentations its giveni need to change server.xml and tomcat-user.xml , can i make these changes on web.xml to implement it or please tell me way out of this please , i tried even jguard but it needs changes in jvm which also not into my access

    Hi,
    I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file.

  • Form Based Authentication without login page

    Hi,
    i need to use form based authentication in a web page, but without a dedicated login page. So basicly every page will contain a login form in the upper right corner, so the user can login anytime in his browsing session directly from the page he's reading.
    I am aware of that the form based authentication config needs a login and a error page.
    I need some hints on how this could be implemented so that i dont need them directly. Im quite sure this is possible, if any of you has ideas please share them with me.
    dukes are waiting ...

    sorry - double posted : http://forum.java.sun.com/thread.jspa?threadID=584579&tstart=0

  • Help is needed on form-based authentication

    Hi,
    form-based authentication is set up to protect OID/SSO resource. Oracle Portal is registered with OID. A reverse proxy server is in DMZ as front-end to Portal. At the new login page, after typing username/password, hit Login button, get original OID/SSO login page, typing username/password can get to Portal landing page.
    The problem is that OID/SSO login page shows up after OID/SSO resource is protected by form-based authentication, it appears form-based authentication doesn't work properly with OID/SSO. At the new login page, if typing a wrong password, the page is flashed, and doesn't go to OID/SSO login page, so it seems user authentication with OAM can work.
    The form-based authentication works fine to pretect a non-OSSO page and if using Basic Over LDAP scheme to protect the OID/SSO resource, the login also works fine.
    Please help, thanks

    It looks like the header variable (XXX_REMOTE_USER or whatever you're using) is not getting passed, so that the SSO login page appears. Given that the Basic over LDAP scheme works (I'm assuming that you simply switch schemes in the OAM Policy Domain to verify this?) the only thing I can think of is that you are setting the header variable in the authentication actions only. If this is the case, please try adding the header variable also to the Authorisation Success actions in the Policy Domain that protects /sso/auth/ and see if that makes a difference.
    Regards,
    Colin

  • Help: Form Based Authentication Failed

              Can someone from bea help me with this? We're using servlet's j_security_check to authenticate the user and from time to time, this message
              "Form based authentication failed. One of the following reasons could cause it:
              HTTP sessions are disabled.
              An old session ID was stored in the browser"
              pops out. How can we prevent this from happening?
              thanks in advanced...
              Jerson
              

    Please see the recent thread in the Security section dealing with the same
              message. (Search on "Form based authentication failed".) There appears to
              be at least one bug in WL that causes this, although I wouldn't rule out a
              config issue.
              At any rate, the error message printed out to the console (and log) is
              stupid. Chances are your problem has nothing to do with either an old
              session ID or sessions being disabled, both of which WebLogic should be able
              to tell you for sure if they were indeed the problem.
              Peace,
              Cameron Purdy
              Tangosol, Inc.
              http://www.tangosol.com
              +1.617.623.5782
              WebLogic Consulting Available
              "Jerson Chua" <[email protected]> wrote in message
              news:3a30499c$[email protected]..
              >
              > Can someone from bea help me with this? We're using servlet's
              j_security_check to authenticate the user and from time to time, this
              message
              > "Form based authentication failed. One of the following reasons could
              cause it:
              > HTTP sessions are disabled.
              > An old session ID was stored in the browser"
              > pops out. How can we prevent this from happening?
              >
              > thanks in advanced...
              > Jerson
              >
              

  • Help : Form based authentication - Forbidden 403

    Hi,
    I have create a web app that requires form based authentication when
    accessing certain pages.
    Thus, I've created the entry in the web.xml accordiingly and tested on
    Tomcat to be working fine.
    When I redeployed the web app to weblogic, the normal access of pages
    works fine.
    But when I try to access the restricted pages, the browser show the
    error.
    "Error 403--Forbidden
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.4 403 Forbidden
    The server understood the request, but is refusing to fulfill it.
    Authorization will not help and the request SHOULD NOT be repeated.
    I'm puzzled by the fact that it didn't even prompt me to the login
    page.
    How can I fix the problem?
    Or, which are the documents I should read?
    I have gone through the weblogic documentation briefly, but either it
    mention security management as a whole or just the security-constraint
    in the web app dd.
    I'm new to weblogic, so, it's likely that I missed something very
    basic and appreciate anyone to point that out to me.
    Thanks for any advice.
    Cheers.
    Han Ming

    It seems like a bug. However when I explicitly reset the error using set status it worked for me. I added following code in my error jsp .
    <%     
         response.setHeader("conent-type","text/html");
         response.setStatus(200);
    %>

  • Ask for help with form based authentication & authorization

    Hi:
    I encountered the following problem when I tried the form based authentication & authorization (see the attached part of the config files, web.xml, weblogic.xml & weblogic.properties)
    1. authorization seems not invoked against the rules specfied, it doesn't go the login error page as long as the user/pwd match, even though the user does not have the necessary role
    in the example below, user3 should be denied to access the signin page, but seems no login error page returned, actually I never see any page / error message which complain about the authorization / access control error
    2. after authenticate correctly, always get redirected to the / (context root) url, instead of the url prior the login page, for e.g., signin page
    Any idea ?
    Thanks in advance.
    HaiMing
    attach config files
    web.xml
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>MySecureBit1</web-resource-name>
    <description>no description</description>
    <url-pattern>/control/signin</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>default</realm-name>
    <form-login-config>
    <form-login-page>/control/formbasedlogin</form-login-page>
    <form-error-page>/control/formbasedloginerror</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <description>the customer role</description>
    <role-name>customer</role-name>
    </security-role>
    weblogic.xml
    <security-role-assignment>
    <role-name>
    customer
    </role-name>
    <principal-name>
    customer_group
    </security-role-assignment>
    weblogic.properties
    weblogic.password.user1=user1pass
    weblogic.password.user2=user2pass
    weblogic.password.user3=user3pass
    weblogic.security.group.customer_group=user1,user2

    Hi, Paul:
    Thanks a lot for your reply.
    Firstly let me just correct a little in the attachment I put previously, I think I missed following lines :
    <auth-constraint>
    <description>no description</description>
    <role-name>customer</role-name>
    </auth-constraint>
    So, user1 & user2 are in the customer group, but user3 not, and /control/singin is protected by this security constraint, as a result, when anyone click the link to /control/singin, he was led to the login page, if he tries to login as user1 & user2, he should pass & led to original page (in this case /control/singin, and my code's logic, once /control/signin is used, means that he already login successfully & redirected to the login success page), but if he tries to login as user3, he should only pass the authentication check, but fail the authorization check, and led to login error page.
    What not happen are :
    1. user1 & user2 pass, but redirect to /
    2. user3 also pass, because I see that debug message shows also get redirected to /, instead of login error page
    (login error page will be displayed, only if I try to login as a user with either wrong userid, or wrong password)
    3. one more thing I notice after I first time post the message, the container does not remember the principal, after 1. is done, not even for a while
    And the similar configuration works under Tomcat 3.2.1, for all 3. mentioned above.
    Any idea ?
    HaiMing
    "Paul Patrick" <[email protected]> wrote:
    If I understand what your trying to do, everyone should get access to the
    login page since roles are not
    associated with principals until after they authenticate. If I follow what
    you specified in the XML files,
    authenticated users user1 and user2 are members of a group called
    customer_group.
    The principal customer_group (and therefore its members) is mapped in the
    weblogic.xml file to the role
    customer.
    I can't speak to the reason your being redirected to the document root.
    Paul Patrick
    "HaiMing" <[email protected]> wrote in message
    news:[email protected]...
    Hi:
    I encountered the following problem when I tried the form basedauthentication & authorization (see the attached part of the config files,
    web.xml, weblogic.xml & weblogic.properties)
    1. authorization seems not invoked against the rules specfied, itdoesn't go the login error page as long as the user/pwd match, even though
    the user does not have the necessary role
    in the example below, user3 should be denied to access the signinpage, but seems no login error page returned, actually I never see any page
    / error message which complain about the authorization / access control
    error
    2. after authenticate correctly, always get redirected to the / (contextroot) url, instead of the url prior the login page, for e.g., signin page
    Any idea ?
    Thanks in advance.
    HaiMing
    attach config files
    web.xml
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>MySecureBit1</web-resource-name>
    <description>no description</description>
    <url-pattern>/control/signin</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>default</realm-name>
    <form-login-config>
    <form-login-page>/control/formbasedlogin</form-login-page>
    <form-error-page>/control/formbasedloginerror</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <description>the customer role</description>
    <role-name>customer</role-name>
    </security-role>
    weblogic.xml
    <security-role-assignment>
    <role-name>
    customer
    </role-name>
    <principal-name>
    customer_group
    </security-role-assignment>
    weblogic.properties
    weblogic.password.user1=user1pass
    weblogic.password.user2=user2pass
    weblogic.password.user3=user3pass
    weblogic.security.group.customer_group=user1,user2

  • Need Sample Code for Form-based Authentication

    Hello.
    I'm trying to setup Form-based Authentication. I keep reading the same (limited) documentation about putting this in your server's .xml files:
    <form method="POST" action="j_security_check">
            <input type="text" name="j_username">
            <input type="password" name="j_password">
    </form>I don't even have a web.xml or sun-web.xml file. I cannot find examples of Sun One WS either.
    Any sample coding - including yoru web.xml, sun-web.xml - would be greatly appeciated.
    Thanks!
    Sam

    Refer http://docs.sun.com/source/817-1833-10/pwadeply.html#wp40541

  • Form based authentication problem....help!!!!

    hey guys, <br>
    i'm trying to use form based authentication method to secure my web pages.
    This is the sample structure of the login page :
    <form action="j_security_check" method="post">
    <FONT SIZE="3" FACE="VERDANA">Company ��� </FONT>
    <INPUT TYPE=TEXT NAME="Company" SIZE="20">
    <BR><BR><BR>
    <FONT SIZE="3" FACE="VERDANA">UserName ��</FONT>
    <INPUT TYPE=TEXT NAME="j_username" SIZE="20">
    <BR><BR><BR>
    <FONT SIZE="3" FACE="VERDANA">Password �� </FONT>
    <INPUT TYPE=PASSWORD NAME="j_password" SIZE="20">
    <BR>
    <FONT SIZE="3" FACE="VERDANA">
    <INPUT TYPE=SUBMIT VALUE="Log In"> </FONT>
    </form>
    This is what the "loginerror.jsp" page looks like :
    <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
    <html>
    <head>
    <title>
    Login Error
    </title>
    </head>
    <body>
    <c:url var="url" value="http://localhost:8080/sbs/sbs"/>
    <h2>Invalid user name or password.<h2>
    <p>Please enter a username or password that is authorized to access this application. Click here to try again</h2>
    </body>
    </html>
    This is what the sample response.jsp page looks like. This page should be displayed once the user logs in with correct username & password :
    <html>
    <head>
    <title>ResponsePage</title>
    </head>
    <body>
    <center>
    <h2>
    Testing response Page
    </h2>
    </center>
    </body>
    </html>
    Please note: I'm using j2ee1.4 sdk and DEPLOY TOOL to set all the security requirements. I think i did almost everything right but i don't understand the error that is being displayed. I t looks something like this :
    HTTP Status 400 - Invalid direct reference to form login page
    type Status report
    message Invalid direct reference to form login page
    description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
    Sun-Java-System/Application-Server

    hey guys, <br>
    i'm trying to use form based authentication method to secure my web pages.
    This is the sample structure of the login page :
    <form action="j_security_check" method="post">
    <FONT SIZE="3" FACE="VERDANA">Company ��� </FONT>
    <INPUT TYPE=TEXT NAME="Company" SIZE="20">
    <BR><BR><BR>
    <FONT SIZE="3" FACE="VERDANA">UserName ��</FONT>
    <INPUT TYPE=TEXT NAME="j_username" SIZE="20">
    <BR><BR><BR>
    <FONT SIZE="3" FACE="VERDANA">Password �� </FONT>
    <INPUT TYPE=PASSWORD NAME="j_password" SIZE="20">
    <BR>
    <FONT SIZE="3" FACE="VERDANA">
    <INPUT TYPE=SUBMIT VALUE="Log In"> </FONT>
    </form>
    This is what the "loginerror.jsp" page looks like :
    <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
    <html>
    <head>
    <title>
    Login Error
    </title>
    </head>
    <body>
    <c:url var="url" value="http://localhost:8080/sbs/sbs"/>
    <h2>Invalid user name or password.<h2>
    <p>Please enter a username or password that is authorized to access this application. Click here to try again</h2>
    </body>
    </html>
    This is what the sample response.jsp page looks like. This page should be displayed once the user logs in with correct username & password :
    <html>
    <head>
    <title>ResponsePage</title>
    </head>
    <body>
    <center>
    <h2>
    Testing response Page
    </h2>
    </center>
    </body>
    </html>
    Please note: I'm using j2ee1.4 sdk and DEPLOY TOOL to set all the security requirements. I think i did almost everything right but i don't understand the error that is being displayed. I t looks something like this :
    HTTP Status 400 - Invalid direct reference to form login page
    type Status report
    message Invalid direct reference to form login page
    description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
    Sun-Java-System/Application-Server

  • Big problem :anything is accepted by form-based authentication on Jboss

    Hi there
    I'm new to form-based authentication. I've been stuck on this problem for one and a half day. I set up the form-based authentication(with JDBC realm) on JBoss 3.2/Tomcat 5.0. When I visit the protected area, it did ask me for password. But it accepts whatever I input and forwards the desired page, even when I input nothing and just click on submit, it allows me to go through. No error message at all. I am in desperate need for help.
    Here is my configuration. The web.xml is like this
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
    <web-app>
    <display-name>LoginTest</display-name>
    <security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</role-name>
    </auth-constraint>
    <user-data-constraint><transport-guarantee>NONE</transport-guarantee></user-data-constraint>
    </security-constraint>
    <!-- Default login configuration uses form-based authentication -->
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <description>Manager security role</description>
    <role-name>manager</role-name>
    </security-role>
    </web-app>
    I also add the following JDBC realm definition into the server.xml which is under jboss/server/default/deploy/jbossweb-tomcat50.sar
    <Realm
    className="org.apache.catalina.realm.JDBCRealm" debug="1"
    driverName="org.gjt.mm.mysql.Driver"
    connectionURL="jdbc:mysql://myipdadress:3306/field_bak"
    connectionName="plankton"
    connectionPassword="plankton"
    userTable="users"
    userNameCol="user_name"
    userCredCol="user_pass"
    userRoleTable="user_roles"
    roleNameCol="role_name"
    />
    The JDBC realm is enclosed by the <engine> element. I checked the server log file, when the jboss server is started, it does load the mysql driver correctly and connect to mysql database fine. If I changed the IP of the mysql server to a non-existing one, then when I start jboss server, the server boot process will complain about connection to mysql faiure.
    I guess maybe the server doesn't do the authentication by connecting to mysql and verify it when I submit the log in form. It seems the JDBC realm authentication is bypassed. I notice that even I get rid of the JDBC realm definition from the server.xml file, and test the web application. It behaves exactly the same way. It asks me for password but anything will go through even nothing.
    Can anybody help me about this? I'm really stuck on this.
    Thanks a lot!

    By the way, I did create database"field_bak" and the tables for the JDBC realm verification.
    I also created the users and the roles.
    But it seems like Tomcat container doesn't do the JDBC realm authentication.

  • Any one having idea on Form based authentication ?

    Hi ,
    I need help on configuring web.xml for form based authentication .
    ie if any one clicks or attempts to access any page in application it should redirect to login page.
    Thanks.

    there is no need to write a servlet filter for this any more. It is part of the servlet spec. Web containers should provide it as a matter of course. It will automatically handle the popping up of the login page, and continue to the destination on successful login, all automagically.
    A quick search on Google provides several articles and examples on this very subject. Try http://www.onjava.com/pub/a/onjava/2002/06/12/form.html
    Heres a quick example of web.xml config taken from that article:
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/fail_login.html</form-error-page>
    </form-login-config>
    </login-config>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>AdminPages</web-resource-name>
    <description> accessible by authorised users </description>
    <url-pattern>/admin/*</url-pattern>
    <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
    <description>These are the roles who have access</description>
    <role-name>manager</role-name>
    </auth-constraint>
    </security-constraint>Cheers,
    evnafets

  • Performing form based authentication with entities

    Hey everyone,
    Im in a major dilemma.Im trying to perform form-based authentication using entities.I have created the entity class from the database,and I used a SLSB to access the bean method via JNDI(when I tried using dependency injection,there was an exception).I also cannot use hibernate as a persistent provider.I used toplink since it is the default in netbeans 5.5.1 and it did not raise any issues.But then,I noticed that toplink is most compatible with the oracle application server,and I use sun java system application server 9.1.I have not been able to successfully perform the authentication.
    here's the code:note,there are still bugs as ive been going back and forth trying to find a solution and also because Ive been working with preexisting code.
    model:
    SLSB
    * userValidationBean.java
    * Created on 26 March 2008, 18:25
    * To change this template, choose Tools | Template Manager
    * and open the template in the editor.
    package Entities;
    import javax.ejb.Stateless;
    import javax.ejb.Remote;
    import java.util.List;
    import javax.persistence.PersistenceContext;
    import javax.persistence.EntityManager;
    import javax.persistence.Query;
    import Entities.UserTable;
    import javax.transaction.UserTransaction;
    import javax.annotation.Resource;
    //the reason for the many comments is that im still debugging and there are still some bugs.Ive also been trying to go back and forth just
    //to get a solution.
    //the other accompanying classes had preexisting code i wrote earlier.
    * @author Ayo
    @Stateless
    @Remote(userValidationRemote.class)
    public class userValidationBean implements Entities.userValidationRemote {
    @PersistenceContext private EntityManager manager;
    @Resource private javax.transaction.UserTransaction tran;
    /** Creates a new instance of userValidationBean */
    public userValidationBean() {
    //"SELECT u.username,u.password FROM UserTable u WHERE u.username =?1 and u.password=?2"
    public boolean checkUser()
    try
    tran.begin();
    UserTable user=new UserTable();
    Query query=manager.createQuery("select u.username,u.password from u.user_table where u.username=:username and u.password=:password");
    /*query.set("username",user.getUsername());
    query.setParameter("password",user.getPassword());*/
    query.setParameter("username",user.getUsername());
    query.setParameter("password",user.getPassword());
    userValidationBean ubean=(userValidationBean)query.getSingleResult();
    boolean result=ubean==null?true:false;
    tran.commit();
    catch(Exception e)
    System.out.println("Error:"+e);
    // boolean result=ubean==null?true:false;
    return result;
    remote interface
    package Entities;
    import javax.ejb.Remote;
    import Entities.UserTable;
    * This is the business interface for userValidation enterprise bean.
    @Remote
    public interface userValidationRemote {
    public boolean checkUser();
    controller:servlet
    * userCheck.java
    * Created on 15 March 2008, 22:41
    package servlets;
    import Entities.UserTable;
    import Entities.userValidationBean;
    import javax.annotation.*;
    import Entities.userValidationRemote;
    import java.io.*;
    import java.net.*;
    import java.sql.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    import javax.ejb.*;
    import javax.naming.*;
    import javax.persistence.*;
    * @author Ayo
    * @version
    public class userCheck extends HttpServlet {
    //@EJB userValidationRemote userRemote;
    boolean checkUser;
    String username,password;
    /** Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
    * @param request servlet request
    * @param response servlet response
    protected void processRequest(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
    /*con=null;
    ps=null;
    rs=null;
    s=null;
    */response.setContentType("text/html;charset=UTF-8");
    PrintWriter out = response.getWriter();
    username=request.getParameter("username");
    password=request.getParameter("password");
    if(username==""||password=="")
    //RequestDispatcher de=request.getRequestDispatcher("admin_error.jsp");
    //de.forward(request,response);
    //showError("<b><font color=\"red\">Invalid Login details!</font></b>",request,response);
    showError("<b><font color=\"red\">Please fill in the required blanks.</font></b>",request,response);
    else
    try
    Context ctx=new InitialContext();
    userValidationRemote userRemote=(userValidationRemote)ctx.lookup("Entities.userValidationRemote");
    checkUser= userRemote.checkUser();
    //checkUser= userRemote.checkUser();
    //return;
    //checkUser(UserTable user);
    catch(Exception e)
    out.println("Error:"+e);
    //userValidation.checkUser(UserTable user);
    if(checkUser==true)
    RequestDispatcher d=request.getRequestDispatcher("blah.jsp");
    d.forward(request,response);
    else if(checkUser==false)
    // RequestDispatcher d=request.getRequestDispatcher("admin_error.jsp");
    //d.forward(request,response);
    showError("<b><font color=\"red\">Invalid Login details!</font></b>",request,response);
    //call bean(stateless or stateful)which access method on entity that validates.
    // checkUser(request,response);
    /* TODO output your page here
    out.println("<html>");
    out.println("<head>");
    out.println("<title>Servlet userCheck</title>");
    out.println("</head>");
    out.println("<body>");
    out.println("<h1>Servlet userCheck at " + request.getContextPath () + "</h1>");
    out.println("</body>");
    out.println("</html>");
    //out.close();
    /* public synchronized void checkUser(HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException
    if(username==""&&password=="")
    showError("<b><font color=\"red\">Please fill in the required blanks.</font></b>",request,response);
    else
    try
    Class.forName("com.mysql.jdbc.Driver");
    con=DriverManager.getConnection("jdbc:mysql://localhost:3306/Health_Management_System","root","");
    ps=con.prepareStatement("select username,password from user_table where username=?and password=?");
    ps.setString(1,username);
    ps.setString(2,password);
    rs=ps.executeQuery();
    if(rs.next())
    user=rs.getString(1);
    pass=rs.getString(2);
    //check user type,wether super admin,user or the other subadmins or a regular user.
    checkType(request,response);
    else
    //redirect to admin error page,then close the connection.
    showError("<b><font color=\"red\">Invalid Login details.</font></b>",request,response);
    con.close();
    catch(Exception e)
    private synchronized void checkType(HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException
    try
    Class.forName("com.mysql.jdbc.Driver");
    con=DriverManager.getConnection("jdbc:mysql://localhost:3306/Health_Management_System","root","");
    ps=con.prepareStatement("select user_type,user_id,access_level from user_table where username=? and password=?");
    ps.setString(1,user);
    ps.setString(2,pass);
    rs=ps.executeQuery();
    if(rs.next())
    user_type=rs.getString(1);
    user_id=""+rs.getInt(2);
    access_level=rs.getString(3);
    if(user_type.equals("super")&&(access_level.equals("all")))
    //create admin user session,add to the username and the user_id.
    //redirect to super admin page,with access rights to create
    //health admin,insurance admin and HMO admin.
    //pretty cool stuff!
    HttpSession session=request.getSession(true);
    session.setAttribute("user",user);
    session.setAttribute("user_id",user_id);
    RequestDispatcher dispatcher=request.getRequestDispatcher("admin_user_page.jsp");
    dispatcher.forward(request,response);
    //session.setAttribute(user_id);
    //remember to create a hidden field if you need to pass this information
    //to another page and retrieve the super admin id to track his activities.
    else if(user_type.equals("health administrator")&&(access_level.equals("Health")))
    HttpSession session=request.getSession(true);
    session.setAttribute("user",user);
    session.setAttribute("user_id",user_id);
    RequestDispatcher des=request.getRequestDispatcher("health_admin_user_page.jsp");
    des.forward(request,response);
    //check for other user types,health admin,hmo admin and insurance admin.
    else if(user_type.equals("hmo administrator")&&(access_level.equals("HMO")))
    HttpSession session=request.getSession(true);
    session.setAttribute("user",user);
    session.setAttribute("user_id",user_id);
    RequestDispatcher d=request.getRequestDispatcher("hmo_admin_user_page.jsp");
    d.forward(request,response);
    showError("<b><font color=\"red\">Invalid Login details.</font></b>",request,response);
    else if(user_type.equals("insurance administrator")&&(access_level.equals("insurance")))
    HttpSession session=request.getSession(true);
    session.setAttribute("user",user);
    session.setAttribute("user_id",user_id);
    RequestDispatcher de=request.getRequestDispatcher("insurance_admin_user_page.jsp");
    de.forward(request,response);
    else if(user_type.equals("user")&&(access_level.equals("health")))
    try
    Class.forName("com.mysql.jdbc.Driver");
    con=DriverManager.getConnection("jdbc:mysql:http://localhost:3306/Health_Management_System","root","");
    ps=con.prepareStatement("select staff_id from user_table where username=?and password=?");
    ps.setString(1,username);
    ps.setString(2,password);
    rs=ps.executeQuery();
    if(rs.next())
    String staff_id=""+rs.getInt(1);
    Class.forName("com.mysql.jdbc.Driver");
    con=DriverManager.getConnection("jdbc:mysql://localhost:3306/Health_Management_System","root","");
    ps=con.prepareStatement("select * from health_staff_table where staff_id=?");
    ps.setString(1,staff_id);
    rs=ps.executeQuery();
    if(rs.next())
    //retrieve the values from health staff and store them in variables.
    //store important variables in user sessions e.g.staff_id,username,place of work for display in the web page.
    //redirect to required page.
    String first_name=rs.getString("first_name");
    String last_name=rs.getString("last_name");
    String work_place=rs.getString("place_of_work");
    HttpSession session=request.getSession(true);
    session.setAttribute("first_name",first_name);
    session.setAttribute("last_name",last_name);
    session.setAttribute("work_place",work_place);
    session.setAttribute("staff_id",staff_id);
    //redirect to user page.
    else
    showError("<b><font color=\"red\">Invalid Login details.</font></b>",request,response);
    else
    showError("<b><font color=\"red\">Invalid Login details.</font></b>",request,response);
    catch(Exception e)
    //catch exception and redirect to page.
    else if(user_type.equals("user")&&(access_level.equals("HMO")))
    try
    Class.forName("com.mysql.jdbc.Driver");
    con=DriverManager.getConnection("jdbc:mysql:http://localhost:3306/Health_Management_System","root","");
    ps=con.prepareStatement("select staff_id from user_table where username=?and password=?");
    ps.setString(1,username);
    ps.setString(2,password);
    rs=ps.executeQuery();
    if(rs.next())
    String staff_id=""+rs.getInt(1);
    Class.forName("com.mysql.jdbc.Driver");
    con=DriverManager.getConnection("jdbc:mysql://localhost:3306/Health_Management_System","root","");
    ps=con.prepareStatement("select * from hmo_staff_table where staff_id=?");
    ps.setString(1,staff_id);
    rs=ps.executeQuery();
    if(rs.next())
    //retrieve the values from HMO staff and store them in variables.
    //store important variables in user sessions e.g.staff_id,username,place of work for display in the web page.
    //redirect to required page.
    String first_name=rs.getString("first_name");
    String last_name=rs.getString("last_name");
    String work_place=rs.getString("place_of_work");
    HttpSession session=request.getSession(true);
    session.setAttribute("first_name",first_name);
    session.setAttribute("last_name",last_name);
    session.setAttribute("work_place",work_place);
    session.setAttribute("staff_id",staff_id);
    else
    showError("<b><font color=\"red\">Invalid Login details.</font></b>",request,response);
    else
    showError("<b><font color=\"red\">Invalid Login details.</font></b>",request,response);
    catch(Exception e)
    //catch exception and redirect to page.
    else if(user_type.equals("user")&&(access_level.equals("insurance")))
    try
    Class.forName("com.mysql.jdbc.Driver");
    con=DriverManager.getConnection("jdbc:mysql:http://localhost:3306/Health_Management_System","root","");
    ps=con.prepareStatement("select staff_id from user_table where username=?and password=?");
    ps.setString(1,username);
    ps.setString(2,password);
    rs=ps.executeQuery();
    if(rs.next())
    String staff_id=""+rs.getInt(1);
    Class.forName("com.mysql.jdbc.Driver");
    con=DriverManager.getConnection("jdbc:mysql://localhost:3306/Health_Management_System","root","");
    ps=con.prepareStatement("select * from insurance_staff_table where staff_id=?");
    ps.setString(1,staff_id);
    rs=ps.executeQuery();
    if(rs.next())
    //retrieve the values from insurance staff and store them in variables.
    //store important variables in user sessions e.g.staff_id,username,place of work for display in the web page.
    //redirect to required page.
    String first_name=rs.getString("first_name");
    String last_name=rs.getString("last_name");
    String work_place=rs.getString("place_of_work");
    HttpSession session=request.getSession(true);
    session.setAttribute("first_name",first_name);
    session.setAttribute("last_name",last_name);
    session.setAttribute("work_place",work_place);
    session.setAttribute("staff_id",staff_id);
    else
    showError("<b><font color=\"red\">Invalid Login details.</font></b>",request,response);
    else
    showError("<b><font color=\"red\">Invalid Login details.</font></b>",request,response);
    catch(Exception e)
    //catch exception and redirect to page.
    else
    //invalid login details.After all else fails.
    showError("<b><font color=\"red\">Invalid Login details.</font></b>",request,response);
    catch(Exception e)
    private void showError(String errorMsg,HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException
    request.setAttribute("error_msg",errorMsg);
    RequestDispatcher dispatcher=request.getRequestDispatcher("admin_error.jsp");
    dispatcher.forward(request,response);
    // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
    /** Handles the HTTP <code>GET</code> method.
    * @param request servlet request
    * @param response servlet response
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
    processRequest(request, response);
    /** Handles the HTTP <code>POST</code> method.
    * @param request servlet request
    * @param response servlet response
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
    processRequest(request, response);
    /** Returns a short description of the servlet.
    public String getServletInfo() {
    return "Short description";
    // </editor-fold>
    view
    <%@ page contentType="text/html; charset=utf-8" language="java" import="java.sql.*" errorPage="" %>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Login</title>
    <style type="text/css">
    <!--
    .style3 {     color: #000000;
         font-family: Arial, Helvetica, sans-serif;
         font-size: 12px;
    .style1 {color: #0000FF}
    .style4 {
         color: #0000FF;
         font-size: 12px;
    .style5 {
         font-size: 12px
    .style6 {
         color: #FF0000;
         font-size: 12px;
    .style7 {
         font-size: 36px
    .style8 {color: #000000}
    -->
    </style>
    </head>
    <body>
    <table width="564" border="0" align="center">
    <tr>
    <td width="558" bgcolor="#CCCCCC" class="style1"><div align="center">
    <p> </p>
    <h1 class="style7">Welcome to HealthPort</h1>
    <p>HealthPort Login</p>
    <p><span class="style8">Today's date is:<%= new java.util.Date() %></span></p>
    <form id="form1" name="form1" method="post" action="userCheck">
    <p align="right" class="style3">Username
    <label></label>
    <input type="text" name="username" id="username" />
    </p>
    <p align="right" class="style3">Password
    <input type="password" name="password" id="password" />
    </p>
    <p align="right" class="style3">
    <span class="style6">
    <label></label>
    <label></label>
    </span>
    <span class="style5">
    <label></label>
    </span>
    <label>
    <input type="submit" name="button" id="button" value="Login" />
    </label>
    </p>
    <div align="right">
    </div></form>
    <div align="right"><div align="left"><p align="right"> </p>
    </div></div></div></td>
    </tr>
    <tr>
    <td bgcolor="#CCCCCC" class="style1"> </td>
    </tr>
    </table>
    </body>
    </html>
    so,that's about it.I'd appreciate it.I know this is a lot.I'm grateful
    Ayo.

    Hi.Im still having issues trying to perform form based authenticatin with entities.I tried this method but im getting errors on the marked lines.
    controller servlet
    * userCheck.java
    * Created on 15 March 2008, 22:41
    package servlets;
    import Entities.UserTable;
    import Entities.userValidationBean;
    import javax.annotation.*;
    import Entities.userValidationRemote;
    import java.io.*;
    import java.net.*;
    import java.sql.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    import javax.ejb.*;
    import javax.naming.*;
    import javax.persistence.*;
    * @author Ayo
    * @version
    public class userCheck extends HttpServlet {
    //@EJB userValidationRemote userRemote;
    boolean checkUser;
    String username,password;
    /** Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
    * @param request servlet request
    * @param response servlet response
    protected void processRequest(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
    /*con=null;
    ps=null;
    rs=null;
    s=null;
    */response.setContentType("text/html;charset=UTF-8");
    PrintWriter out = response.getWriter();
    username=request.getParameter("username");
    password=request.getParameter("password");
    if(username==""||password=="")
    showError("<b><font color=\"red\">Please fill in the required blanks.</font></b>",request,response);
    else
    try
    Context ctx=new InitialContext();
    userValidationRemote userRemote=(userValidationRemote)ctx.lookup("Entities.userValidationRemote");
    (error on this line-saying ')' expected and no matter if i add ) there is still erro)userRemote.authenticate(String p_user,String p_password);
    catch(Exception e)
    out.println("Error:"+e);
    if(checkUser==true)
    RequestDispatcher d=request.getRequestDispatcher("blah.jsp");
    d.forward(request,response);
    else if(checkUser==false)
    showError("<b><font color=\"red\">Invalid Login details!</font></b>",request,response);
    private void showError(String errorMsg,HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException
    request.setAttribute("error_msg",errorMsg);
    RequestDispatcher dispatcher=request.getRequestDispatcher("admin_error.jsp");
    dispatcher.forward(request,response);
    // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
    /** Handles the HTTP <code>GET</code> method.
    * @param request servlet request
    * @param response servlet response
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
    processRequest(request, response);
    /** Handles the HTTP <code>POST</code> method.
    * @param request servlet request
    * @param response servlet response
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
    processRequest(request, response);
    /** Returns a short description of the servlet.
    public String getServletInfo() {
    return "Short description";
    // </editor-fold>
    view
    <%@ page contentType="text/html; charset=utf-8" language="java" import="java.sql.*" errorPage="" %>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Login</title>
    <style type="text/css">
    <!--
    .style3 {     color: #000000;
         font-family: Arial, Helvetica, sans-serif;
         font-size: 12px;
    .style1 {color: #0000FF}
    .style4 {
         color: #0000FF;
         font-size: 12px;
    .style5 {
         font-size: 12px
    .style6 {
         color: #FF0000;
         font-size: 12px;
    .style7 {
         font-size: 36px
    .style8 {color: #000000}
    -->
    </style>
    </head>
    <body>
    <table width="564" border="0" align="center">
    <tr>
    <td width="558" bgcolor="#9DACBF" class="style1"><div align="center">
    <p> </p>
    <h1 class="style7">Welcome to HealthPort</h1>
    <p>HealthPort Login</p>
    <p><span class="style8">Today's date is:<%= new java.util.Date() %></span></p>
    <form id="form1" name="form1" method="post" action="userCheck">
    <p align="right" class="style3">Username
    <label></label>
    <input type="text" name="username" id="username" />
    </p>
    <p align="right" class="style3">Password
    <input type="password" name="password" id="password" />
    </p>
    <p align="right" class="style3">
    <span class="style6">
    <label></label>
    <label></label>
    </span>
    <span class="style5">
    <label></label>
    </span>
    <label>
    <input type="submit" name="button" id="button" value="Login" />
    </label>
    </p>
    <div align="right">
    </div></form>
    <div align="right"><div align="left"><p align="right"> </p>
    </div></div></div></td>
    </tr>
    <tr>
    <td bgcolor="#CCCCCC" class="style1"> </td>
    </tr>
    </table>
    </body>
    </html>
    SLSB (implements userValidationRemote)
    * userValidationBean.java
    * Created on 26 March 2008, 18:25
    * To change this template, choose Tools | Template Manager
    * and open the template in the editor.
    package Entities;
    import javax.ejb.Stateless;
    import javax.ejb.Remote;
    import javax.persistence.PersistenceContext;
    import javax.persistence.EntityManager;
    import javax.persistence.Query;
    import Entities.UserTable;
    import javax.annotation.*;
    //import javax.transaction.UserTransaction;
    * @author Ayo
    @Stateless(mappedName="ejb/facade/userValidationBean")
    @Remote(userValidationRemote.class)
    (error on this line saying can't find class TransactionManagement)@TransactionManagement(value=TransactionManagementType.CONTAINER)
    public class userValidationBean implements Entities.userValidationRemote {
    @PersistenceContext(unitName="HealthInsuranceApp-ejbPU") private EntityManager manager;
    /** Creates a new instance of userValidationBean */
    public userValidationBean() {
    //"SELECT u.username,u.password FROM UserTable u WHERE u.username =?1 and u.password=?2"
    public boolean authenticate(String p_user,String p_password)
    UserTable m_user=manager.find(UserTable.class,p_user);
    if(m_user!=null)
    return m_user.getPassword().equals(p_password);
    return false;
    Entity
    * UserTable.java
    * Created on 29 March 2008, 13:24
    * To change this template, choose Tools | Template Manager
    * and open the template in the editor.
    package Entities;
    import java.io.Serializable;
    import javax.persistence.Column;
    import javax.persistence.Entity;
    import javax.persistence.Id;
    import javax.persistence.Table;
    * Entity class UserTable
    * @author Ayo
    @Entity(name="qs_UserPwd")
    @Table(name = "user_table")
    public class UserTable implements Serializable {
    @Id
    @Column(name = "user_id", nullable = false)
    private Integer userId;
    @Column(name = "username")
    private String username;
    @Column(name = "password")
    private String password;
    @Column(name = "user_type")
    private String userType;
    @Column(name = "access_level")
    private String accessLevel;
    @Column(name = "staff_id")
    private Integer staffId;
    @Column(name = "staff_type", nullable = false)
    private String staffType;
    @Column(name = "time_created")
    private String timeCreated;
    @Column(name = "time_modified")
    private String timeModified;
    @Column(name = "time_logged_in")
    private String timeLoggedIn;
    @Column(name = "time_logged_out")
    private String timeLoggedOut;
    @Column(name = "created_by")
    private String createdBy;
    /** Creates a new instance of UserTable */
    public UserTable() {
    * Creates a new instance of UserTable with the specified values.
    * @param userId the userId of the UserTable
    public UserTable(Integer userId) {
    this.userId = userId;
    * Creates a new instance of UserTable with the specified values.
    * @param userId the userId of the UserTable
    * @param staffType the staffType of the UserTable
    public UserTable(Integer userId, String staffType) {
    this.userId = userId;
    this.staffType = staffType;
    public UserTable(String p_user,String p_password)
    setUsername(p_user);
    setPassword(p_password);
    * Gets the userId of this UserTable.
    * @return the userId
    public Integer getUserId() {
    return this.userId;
    * Sets the userId of this UserTable to the specified value.
    * @param userId the new userId
    public void setUserId(Integer userId) {
    this.userId = userId;
    * Gets the username of this UserTable.
    * @return the username
    public String getUsername() {
    return this.username;
    * Sets the username of this UserTable to the specified value.
    * @param username the new username
    public void setUsername(String p_user) {
    p_user = username;
    * Gets the password of this UserTable.
    * @return the password
    public String getPassword() {
    return this.password;
    * Sets the password of this UserTable to the specified value.
    * @param password the new password
    public void setPassword(String p_password) {
    p_password=password;
    * Gets the userType of this UserTable.
    * @return the userType
    public String getUserType() {
    return this.userType;
    * Sets the userType of this UserTable to the specified value.
    * @param userType the new userType
    public void setUserType(String userType) {
    this.userType = userType;
    * Gets the accessLevel of this UserTable.
    * @return the accessLevel
    public String getAccessLevel() {
    return this.accessLevel;
    * Sets the accessLevel of this UserTable to the specified value.
    * @param accessLevel the new accessLevel
    public void setAccessLevel(String accessLevel) {
    this.accessLevel = accessLevel;
    * Gets the staffId of this UserTable.
    * @return the staffId
    public Integer getStaffId() {
    return this.staffId;
    * Sets the staffId of this UserTable to the specified value.
    * @param staffId the new staffId
    public void setStaffId(Integer staffId) {
    this.staffId = staffId;
    * Gets the staffType of this UserTable.
    * @return the staffType
    public String getStaffType() {
    return this.staffType;
    * Sets the staffType of this UserTable to the specified value.
    * @param staffType the new staffType
    public void setStaffType(String staffType) {
    this.staffType = staffType;
    * Gets the timeCreated of this UserTable.
    * @return the timeCreated
    public String getTimeCreated() {
    return this.timeCreated;
    * Sets the timeCreated of this UserTable to the specified value.
    * @param timeCreated the new timeCreated
    public void setTimeCreated(String timeCreated) {
    this.timeCreated = timeCreated;
    * Gets the timeModified of this UserTable.
    * @return the timeModified
    public String getTimeModified() {
    return this.timeModified;
    * Sets the timeModified of this UserTable to the specified value.
    * @param timeModified the new timeModified
    public void setTimeModified(String timeModified) {
    this.timeModified = timeModified;
    * Gets the timeLoggedIn of this UserTable.
    * @return the timeLoggedIn
    public String getTimeLoggedIn() {
    return this.timeLoggedIn;
    * Sets the timeLoggedIn of this UserTable to the specified value.
    * @param timeLoggedIn the new timeLoggedIn
    public void setTimeLoggedIn(String timeLoggedIn) {
    this.timeLoggedIn = timeLoggedIn;
    * Gets the timeLoggedOut of this UserTable.
    * @return the timeLoggedOut
    public String getTimeLoggedOut() {
    return this.timeLoggedOut;
    * Sets the timeLoggedOut of this UserTable to the specified value.
    * @param timeLoggedOut the new timeLoggedOut
    public void setTimeLoggedOut(String timeLoggedOut) {
    this.timeLoggedOut = timeLoggedOut;
    * Gets the createdBy of this UserTable.
    * @return the createdBy
    public String getCreatedBy() {
    return this.createdBy;
    * Sets the createdBy of this UserTable to the specified value.
    * @param createdBy the new createdBy
    public void setCreatedBy(String createdBy) {
    this.createdBy = createdBy;
    * Returns a hash code value for the object. This implementation computes
    * a hash code value based on the id fields in this object.
    * @return a hash code value for this object.
    @Override
    public int hashCode() {
    int hash = 0;
    hash += (this.userId != null ? this.userId.hashCode() : 0);
    return hash;
    * Determines whether another object is equal to this UserTable. The result is
    * <code>true</code> if and only if the argument is not null and is a UserTable object that
    * has the same id field values as this object.
    * @param object the reference object with which to compare
    * @return <code>true</code> if this object is the same as the argument;
    * <code>false</code> otherwise.
    @Override
    public boolean equals(Object object) {
    // TODO: Warning - this method won't work in the case the id fields are not set
    if (!(object instanceof UserTable)) {
    return false;
    UserTable other = (UserTable)object;
    if (this.userId != other.userId && (this.userId == null || !this.userId.equals(other.userId))) return false;
    return true;
    * Returns a string representation of the object. This implementation constructs
    * that representation based on the id fields.
    * @return a string representation of the object.
    @Override
    public String toString() {
    return "Entities.UserTable[userId=" + userId + "]";
    please what do I do? or is there a better way? seems like my appserver(sun java system app server 9.1)doesnt support dependency injection as
    there's always an exception in the server log when i try it.i use the default transaction provider toplink because use of any of the others raises an exception and my application index page never shows. please i need help? I want to be able to succesfully perform this authentication as its the only way i can move to the next level
    Ayo.

  • Manager password in tomcat for form based authentication

    Hi all,
    I have a jsp using form based authentication.I have set up the web.xml,server.xml and created my database with the various users and roles but when i try to deploy the application,it as for the manger username/password and when i enter what i have in the database it refuses to connect.
    Anyone has any idea what i might be doiing wrong?
    Thans in advance

    Hi,
    I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file.

  • Form-based authentication problem with weblogic

    Hi Everyone,
    The following problem related to form-based authentication
    was posted one week ago and no reponse. Can someone give it
    a shot? One more thing is added here. When I try it on J2EE
    server and do the same thing, I didn't encounter this error
    message, and I am redirected to the homeage.
    Thanks.
    -John
    I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
    When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
    "Form based authentication failed. Could not find session."
    When I check the LOG file, it gives me the following message,
    "Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
    Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
    weblogic.httpd.session.enable=true

    Hi...
    Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
    I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
    cheers...
    Jerson
    "John Wang" <[email protected]> wrote:
    >
    Hi Jerson,
    I tried your code this weekend, it didn't work in my case. But
    I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
    But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
    In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
    Thanks.
    -John
    "Jerson Chua" <[email protected]> wrote:
    I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
    Jerson
    package com.cyberj.catalyst.web;
    import weblogic.servlet.security.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.io.*;
    public class Authenticate extends HttpServlet {
    private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
    public void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, java.io.IOException {
    int authenticated = sa.weak(request, response);
    if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
    authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
    response.sendRedirect("fail_login.jsp");
    } else {
    response.sendRedirect("Home.jsp");
    public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, java.io.IOException {
    doPost(request, response);
    "Jerson Chua" <[email protected]> wrote:
    The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
    Has anyone solved this problem? I've tried the example itself and the same problem occurs.
    Jerson
    "Cameron Purdy" <[email protected]> wrote:
    Jerson,
    First try it redirected (raw) to see if that indeed is the problem ... then
    if it works you can "fix" it the way you want.
    Peace,
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    +1.617.623.5782
    WebLogic Consulting Available
    "Jerson Chua" <[email protected]> wrote in message
    news:[email protected]...
    Hi...
    Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
    another indirection where I will redirect it to another servlet but the
    password is encrypted.
    What do you think?
    thanks....
    Jerson
    "Cameron Purdy" <[email protected]> wrote:
    Maybe redirect to the current URL after killing the session to let the
    request clean itself up. I don't think that a lot of the request (such
    as
    remote user) will be affected by killing the session until the nextrequest
    comes in.
    Peace,
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    +1.617.623.5782
    WebLogic Consulting Available
    "Jerson Chua" <[email protected]> wrote in message
    news:[email protected]...
    Hello guys...
    I've a solution but it doesn't work yet so I need your help. Because
    one
    of the reason for getting form base authentication failed is if an
    authenticated user tries to login again. For example, the one mentionedby
    John using the back button to go to the login page and when the user logsin
    again, this error occurs.
    So here's my solution
    Instead of submitting the page to j_security_check, submit it to a
    servlet
    which will check if the user is logged in or not. If yes, invalidates its
    session and forward it to j_security_check. But there's a problem in this
    solution, eventhough the session.invalidate() (which actually logs theuser
    out) is executed before forwarded to j_security_check, the user doesn't
    immediately logged out. How did I know this, because after calling
    session.invalidate, i tried calling request.RemoteUser() and it doesn't
    return null. So I'm still getting the error. What I want to ask you guyis
    how do I force logout before the j_security_check is called.
    here's the code I did which the login.jsp actually submits to
    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.io.*;
    public class Authenticate extends HttpServlet {
    public void doPost(HttpServletRequest request, HttpServletResponseresponse)
    throws ServletException, java.io.IOException {
    if (request.getRemoteUser() != null) {
    HttpSession session = request.getSession(false);
    System.out.println(session.isNew());
    session.invalidate();
    Cookie[] cookies = request.getCookies();
    for (int i = 0; i < cookies.length; i++) {
    cookies.setMaxAge(0);
    getServletContext().getRequestDispatcher("/j_security_check").forward(reques
    t, response);
    public void doGet(HttpServletRequest request, HttpServletResponseresponse)
    throws ServletException, java.io.IOException {
    doPost(request, response);
    let's help each other to solve this problem. thanks.
    Jerson
    "Jerson Chua" <[email protected]> wrote:
    I thought that this problem will be solved on sp6 but to my
    disappointment, the problem is still there. I'm also using RDBMSRealm,same
    as John.
    Jerson
    "Cameron Purdy" <[email protected]> wrote:
    John,
    1. You are using a single WL instance (i.e. not clustered) on that
    NT
    box
    and doing so without a proxy (e.g. specifying http://localhost:7001),
    correct?
    2. BEA will pay more attention to the problem if you upgrade to SP6.If
    you don't have a reason NOT to (e.g. a particular regression), then
    you
    should upgrade. That will save you one go-around with support: "Hi,I
    am
    on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
    it.
    Call back if that doesn't work."
    3. Make sure that you are not doing anything special before or after
    J_SECURITY_CHECK ... make sure that you have everything configuredand
    done
    by the book.
    4. Email BEA a bug report at [email protected] ... see what they say.
    Peace,
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    +1.617.623.5782
    WebLogic Consulting Available
    "John Wang" <[email protected]> wrote in message
    news:[email protected]...
    Cameron,
    It seems to me that the problem I encountered is different a little
    from
    what you have, evrn though the error message is the same eventually.
    Everytime I go through, I always get that error.
    I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
    to
    work
    around this problem? If it was a BUG as you
    pointed out, is there a way we can report it to the Weblogic
    technical support and let them take a look?
    Thnaks.
    -John
    "Cameron Purdy" <[email protected]> wrote:
    John,
    I will verify that I have seen this error now (after having read
    about it
    here for a few months) and it had the following characteristics:
    1) It was intermittent, and appeared to be self-curing
    2) It was not predictable, only seemed to occur at the first
    login
    attempt,
    and may have been timing related
    3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
    proxy
    was
    Apache (Stronghold)
    4) After researching the newsgroups, it appears that this "bug"
    may
    have gone away temporarily (?) in SP5 (although Jerson Chua
    <[email protected]> mentioned that he still got it in SP5)
    I was able to reproduce it most often by deleting the tmpwar and
    tmp_deployments directories while the cluster was not running,
    then
    restarting the cluster. The first login attempt would fail(roughly
    90%
    of
    the time?) and that server instance would then be ignored by the
    proxy
    for a
    while (60 seconds?) -- meaning that the proxy would send all
    traffic,
    regardless of the number of "clients", to the other server in thecluster.
    As far as I can tell, it is a bug in WebLogic, and probably has
    been
    there
    for quite a while.
    Peace,
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    +1.617.623.5782
    WebLogic Consulting Available
    "John Wang" <[email protected]> wrote in message
    news:[email protected]...
    Hi Everyone,
    The following problem related to form-based authentication
    was posted one week ago and no reponse. Can someone give it
    a shot? One more thing is added here. When I try it on J2EE
    server and do the same thing, I didn't encounter this error
    message, and I am redirected to the homeage.
    Thanks.
    -John
    I am using weblogic5.1 and RDBMSRealm as the security realm. I
    am
    having
    the following problem with the form-based authentication login
    mechanism.
    Does anyone have an idea what the problem is and how to solve it?
    When I login my application and logout as normal procedure, it
    is
    OK.
    But
    if I login and use the browser's BACK button to back the login
    page
    and
    try
    to login as a new user, I got the following error message,
    "Form based authentication failed. Could not find session."
    When I check the LOG file, it gives me the following message,
    "Form based authentication failed. One of the following reasons
    could
    cause it: HTTP sessions are disabled. An old session ID was stored
    in
    the
    browser."
    Normally, if you login and want to relogin without logout first,
    it
    supposes to direct you to the existing user session. But I don'tunderstand
    why it gave me this error. I also checked my property file, it
    appears
    that
    the HTTP sessions are enabled as follows,
    weblogic.httpd.session.enable=true

  • Forcing specific clients or groups to use forms based authentication (FBA) instead of windows based authentication (WIA) with ADFS

    Hi,
    We are have a quite specific issue. The problem is most likely by design in ADFS 3.0 (running on Windows Server 2012 R2) and we are trying to find a "work-around".
    Most users in the organization is using their own personal computer and everything is fine and working as expected, single sign-on (WIA) internally to Office 365 and forms based (FBA) externally (using Citrix NetScaler as reverse proxy and load
    balancing with the correct rewrites to add client-ip, proxy header and URL-transformation).
    The problem occurs for a few (50-100) users where they are sharing the same computer, automatically logged on to the computer using a generic AD-user (same for all of them). This AD-user they are logged on with does not have any access to Office365
    and if they try to access SharePoint Online they receive an error that they can't login (from SharePoint Online, not ADFS).
    We can't change this, they need to have this generic account logged on to these computers. The issue occurs when a user that has access to SharePoint Online tries to access it when logged on with a generic account.
    They are not able to "switch" from the generic account in ADFS / SharePoint Online to their personal account.
    The only way I've found that may work is removing IE as a WIA-capable agent and deploy a User-Agent version string specific to most users but not the generic account.
    My question to you: Is there another way? Maybe when ADFS sees the generic user, it forces forms based authentication or something like that?
    Best regards,
    Simon

    I'd go with your original workaround using the user-agent and publishing a GPO for your normal users that elects to use a user-agent string associated with Integrated Windows Auth.. for the generic accounts, I'd look at using a loopback policy that overwrites
    that user agent setting, so that forms logon is preferred for that subset of users. I don't think the Netscaler here is useful in this capacity as it's a front-end proxy and you need to evaluate the AuthZ rules on the AD FS server after the request has been
    proxied. The error pages in Windows Server 2012 R2 are canned as the previous poster mentioned and difficult to customize (Javascript only)...
    http://blog.auth360.net

Maybe you are looking for

  • Time to upgrade my beloved TiBook..

    Well I never thought I would see the day, but it now looks like I'm heading to upgrade my TiBook 550 after 6yrs.of being a devoted workhorse in my personal & business endevours. A few weeks ago it took a spill from my hands onto a carpeted floor. It

  • Activating "Check user privileges​" causes TestStand to not start properly.

    Recently we checked the box "Check User Privileges" under Station Options->User Manager. Now when we try to start the Teststand Sequence editor it opens but with all functionality grayed out so that no action whatsoever can be taken. If we make an at

  • Horizontal Scroll Bar Issue

    I wanted to apply a horizontal scroll policy as on. I have done that. It looks like this (it has no scroll bar):- I do not know what is the exact problem..Can anyone help me out?

  • Wiki for Widgets

    How many are aware of the Wiki space for the widgets here? <a href="https://wiki.sdn.sap.com/wiki/display/EmTech/Widgets">Widgets</a> Or the page about "<a href="https://wiki.sdn.sap.com/wiki/display/EmTech/Widgetsinthe+Wild">Widgets in the Wild</a>"

  • Horizontal Axis not showing when initial loading

    Hi, We are on Dashboard 4.1 SP3. I have drilling down configured on the Dashboard report. The issue is when initial loading the dashboard. the horizontal text are not showing completly, untill I click the other column of the parent column, it shows t