ADF Security to J2EE Container Managed Security Problems

Similar Messages

• J2EE Container Managed Security doc and inquiry about what to do if I tweak

  hello:
  If the application_roles is taken out of the database schema, would the example still work with minimal changes? There is a possibility our organization may a separate department handling username and password while our app and our separate database will handle roles. Is there something I need to be aware of or is it just a matter of looking up the role in a separate table after authentication? Based on roles, users will have different authorities. is there something built in Oracle JDev?
  Thanks

  Hi,
  you can do anything you want with custom LoginModules. If the provided database login module in OC4J is not sufficient then you can also build yur own login module (or use one of the three I built and published 2 years ago). So the answer is that it is not relevant of where the role definition comes from as long as it is associated with the user upon authentication
  Frank

• EJB 3.0 Security with ACEGI and not with Container Managed Security

  Hi,
       Currently we are using EJB 2.0 in our project, We want to use EJB 3.0
       But for security we want to use Spring ACEGI Security and we don�t want to use container managed security (No Portability, Difficult, �)
       ACEGI supports Servlet/JSP security very well (I am able to call isUserInRole(), getUserPrincipal() because ACEGI implements by ServletRequestWrapper in a filter)
       But for EJB, it lacks this feature. (There is no standard EJB interceptor API as there is with servlets (using filters), so there's no generic way of modify in the EJB context for the invocation)
       Without using container managed security, Is there any way to propogate my security context from Servlet Layer to EJB Layer, So that I can use EJB Declartive security and getCallerPrincipal(), isCallerInRole() API.
       For more info please see this thread http://forum.springframework.org/showthread.php?t=26514
       Why don�t you provide standard EJB interceptor API as there is with servlets (using filters), so there I am able add security identity to EJB context.
       I am eagerly waiting for the reply

  Reason: javax.naming.NameNotFoundException: jdbc not bound
  Although i am quite new to this as well i would say that there is a problem with your connection with the database.
  It seems it cannot connect to Mysql.
  have you download the mysql package library and imported it ?
  Also in your deploy folder in you Jboss
  have you altered the jdbc to connect to you database in your dataset ? ( i am not sure about mysql, but postgre reguired this)
  Most probably it would be the same in mysql.
  <connection-url>jdbc:postgresql://127.0.0.1:5432/Dissertation</connection-url>
  Not sure if this is what you reguire, i am new at this my self

• Session creation with container managed security

  I implemented container managed security, first question does the container creates session automatically when login is successful ?
  second is there a way to do some processing when a user is authenticated like some event gets fired and listeners are called ?

  You have to enclose input component into an <h:form></h:form>.
  Note that the various Form components available in JSF will not let you specify the target action, everything is a post-back.
  I suggest you this article: [J2EE Security - A JSF based Login Form|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]
  [Is This User Logged In?|http://mowyourlawn.com/blog/?p=6]

• SHA-1 Encryption is not working in Container managed security

  Hi,
  I have to turn to your help after no luck with other possible resource.
  I implemented container managed security on my apps and it works well without the encrypted password(clear text) in the table column. Now I referred OC4J Security guide to implement the password encryption as follows:
  1. Using the DBTableOraDataSourceLoginModule, set the option pw_encoding_class = oracle.security.jazn.login.module.db.util.DBLoginModuleSHA1Encoder
  2. run the following procedure:
  DECLARE
      l_password VARCHAR2(50) := 'welcome';
      l_password_raw RAW(128) := utl_raw.CAST_TO_RAW(l_password);
      l_encrypted_raw RAW(2048);
      l_encrypted_string VARCHAR2(2048);
      l_encrypted_string2 VARCHAR2(2048);
  BEGIN
      dbms_output.put_line('Password in String: ' || l_password);
      dbms_output.put_line('Password in raw: ' || l_password_raw);
      l_encrypted_raw := dbms_crypto.hash(l_password_raw, dbms_crypto.HASH_SH1);
      dbms_output.put_line('SH1: ' || l_encrypted_raw);
      l_encrypted_string := UTL_ENCODE.BASE64_ENCODE(l_encrypted_raw);
      dbms_output.put_line('Base64Encoding: ' || l_encrypted_string);
  END;
  3. update the clear text password with the SHA-1 encrypted password and encoded in Base64Encoding (in my case, it's the parameter "l_encrypted_string")Now I run the application and login says "password not matching!" If anyone know what's going on, please advise me what's wrong...pls
  thanks very much,

  Hi,
  hard to say without knowing the code the OC4J team uses in their login module. I know they based it on a JAAS LoginModule I wrote some years ago, but they did change some parts of it. In the original version. the password was read from the database and then compared with the provided password string. Using encryption it uses a class to encode and decode the password queried from teh database. My guess is that the returned string - after decoding - doesn't meet the password string you provide when authenticating. Since this piece of code is owned by the OC4J team, I suggest to try the Application Server forum or the Security forum
  Frank

• Container Managed Security on Tomcat - configuring different auth-methods

  I am trying to configure the container managed security on tomcat4. Or rather I am trying to add a further dimension to the configuration that already exists.
  At the moment the entire application uses LDAP authentication and I would like to separate an area that requires further authentication. That is to say I would like everyone using the web application to authenticate using the existing Form-Based LDAP authentication but I would like only certain users to be able to use the data upload facility (whose code is stored in it's own directory).
  This is the authentication bit of my web.xml:
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>qmrae</web-resource-name>
        <url-pattern>*.do</url-pattern>
        <url-pattern>*.jsp</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>*</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginError.jsp</form-error-page>
      </form-login-config>
    </login-config>My first hurdle is in understanding exactly how the application knows where to go for its authentication.
  I had guessed that the realm-name would map "areas" of my application to realm configuration defined in my application's context area in Tomcat's web.xml but this doesnt seem to be the case. In fact I have read conflicting explanations as to what the realm-name is for. One source has said that this is only used for BASIC authentication as a way of naming the resulting pop up window - many others say it maps the login-config to the web-resource-name. However the latter doesnt make sense because the authentication works in my application at the moment even though those values are completely different (and indeed are different in most of the examples i've read on the web). Furthermore I can find any other mention of the defined realm-name in any other file (which of course be because i'm looking in the wrong place).
  I was prepared to accept that the realm-name might not actually do anything and so I've been looking for examples of defining a different auth-method for different url-patterns but i've had no luck.
  I know a user can have one or more roles but I dont have access to the LDAP server to set these up and haven't found anything about defining different auth-methods other than one thread in this forum suggesting that is wasnt possible on AIS.
  This thread suggests that you can have more than one security-constraint but again i'm not sure about the auth methods and how you map an auth method to a security-constraint
  http://forum.java.sun.com/thread.jspa?forumID=33&threadID=320918
  To summarise my questions:
  1) What are the functions of the realm-name and web-resource-name? Are they related?
  2) Is it possible to configure different areas of an application to use different authentication methods? and if so, could you point me in the direction of relevant documentation
  3) If (2) is not possible and I have to assign a new role to the privileged LDAP users, is it enough to define a new security-constraint? Could you describe the behaviour I could expect for users that have authenticated once and try to access this super-security area, will they be shown another login form or will it just let them in because the container is already aware of their permissions.
  Many thanks for your attention,
  Rachel

  If you create your own Realm classes - look at JAAS - you can sort out your last login time, just wrap them around the DataSourceRealm.
  As far as 'remind' him is concerned - I'm guessing you mean provider a reminder for the password based on the user name. If you use form based authentication you can put what ever you like on the page.

• Glassfish 3.1 Container managed security - custom authentication

  I have used custom authentication with tomcat and it works great. I am moving to glassfish 3.1 and want to set it up there now. I haven't found any specifics for glassfish 3.1. Anybody got it working in GF 3.1?
  Thanks,
  John

  To follow up ...
  I am using container managed security and form based authentication. My custom SJSAS login realm, however, never fails to authenticate users. Instead of failing authentication when a username and password match cannot be found, I add the user to an 'unknown-user' group who has no rights to the application.
  I do this because I can then catch 403 errors for users who have failed authentication (because they are not authorized to access any pages), or for users who are not in the right role to access part of the application.
  It's not the way that I would prefer to handle login 'failures', but it works.

• Container Managed Security

  Hi,
  Could you explain me what is the implication of "Container Managed Security"?
  Thanks.
  Pengyou

  Container managed security in what context?
  EJB access?
  This means that the user must be in a role which is authenticated to execute the method(s) of the bean.
  Resource access?
  The container is responsible for authentication at the resource, for example at setting up the connection to a database.
  Hope this helps

• J2EE Container Security - Duplication inevitable? (Attn: Frank)

  Frank:
  Just to be clear, so you are saying I will have duplication of roles in "application_roles" table and the web.xml. And, this is the only way I could "authenticate" using "application_users" table data and "authorize" using "application_roles" existing in a totally different database schema!
  Hmmm. Almost seems like existence of "application_roles" table is not required in the setup I described. After authentication, I have to hit the web.xml to get the roles for the authenticated users anyway? Why bother with extra work with database? Am I right?
  By the way, I am repeating my setup and your answers to refresh your memory because you get many inquiries.
  UPDATE as of 14:30 pm. I think I may be showing my ignorance here. I guess user's role is decided by table "application_roles." You then use the isUserInRole() merely to set read/write/view permissions. But, I am not quite sure yet. Hence I will leave this post for your answer. I am not quite done with my analysis before deciding to change this post.
  Thanks
  To refresh:
  My set up. I have ADFBC. I have using SRDemo with a twist. I am using your new doc "Database authentication and Auth in J2EE container managed security."- not ADF security from SRDemo's last chapter. I ignored the ADF Security part in the SRDemo. I have "application_roles" and srdemo tables in one database schema and "application_users" in a totally different schema.
  You wrote:
  web.xml is used to define authorization based on security constraints expressed in URL patterns. However, for each of the user roles - e.g. PRESIDENT - you need to create a role in web.xml with the same name. When you then call isUserInRole() from the JSF application then it checks web.xml for the security role and then attempts to verify that the user has this role granted. It is not obvious why web.xml needs to have the role defined. There exists a reason that however would add more to your confusion than to your success ;-)
  Youcan use the same approach SRDemo uses in that you provide a managed bean with boolean methods like isPresident(), isManager() etc. The methods perform "isUserInRole()"
  Then you use EL to access these methods to hide/show components

  Hi
  Just to be clear, so you are saying I will have duplication of roles in "application_roles" table and the web.xml. And, this is the only way I could "authenticate" using "application_users" table data and "authorize" using "application_roles" existing in a totally different database schema!
  The table is the security provider wheras web.xml defines the security roles that you can work with in your program code. The J2EE servlet spec defines a separation of application roles and groups or roles in the security provider. There is an additional step between roles in web.xml and the security provider, which is that you could map the role name in web.xml to a security role name. I never tested this with custom LoginModules and for this reason the two role names match.
  The goal of container managed security is that the developer can build the secure web application without having to know about the security roles defined on the security provider.
  Note that anything that you call in application code within container managed security - and this is not specific to Oracle - is checked against the web.xml file which is mapped to the security provider. If e.g. you use JBoss then you could configure a database module to handle the authentication and authorization. But still the security role needs to be provided in web.xml
  Frank

• IFS in J2EE container

  Is iFS certified for runniong inside 9i appserver (J2EE container) ?
  thx in advance
  null

  Hi,
  J2EE container managed security uses role names to perform authorization. The security role is defined in the web.xml file and can be used in web applications through the isUserInRole("RoleName") method exposed on the Http Request object.
  In JSF this method is exposed through
  FacesContext.currentInstance().getExternalContext().isUserInRole("RoleName")
  As shown in SRDemo, to declaratively use J2EE security roles in JSF, create a managed bean e.g. authzbean and create boolean methods for each of teh roles
  public boolean isUserManager(){
    return FacesContext.currentInstance().getExternalContext().isUserInRole("Manager")
  }This method can then be accessed from EL to e.g. set the displayed property. Note that container managed authorization is different from ADF Security authorization but can be used in combination if the JAZN Realm login module is used
  Frank

• Executing SQL statements in container managed transactions

  I have a problem when using TopLink 9.0.3 with WebSphere 4, Oracle 9i and J2EE container managed transactions.
  The data changing SQL statements are executed at the end of the (container managed) transaction, not at the time of the calls to UnitOfWork.registerNewObjekt(),
  UnitOfWork.validate...() or UnitOfWork.commit...().
  UnitOfWork(2035008996)--validate object space.
  UnitOfWork(2035008996)--validate cache.
  UnitOfWork(2035008996)--JTS#beforeCompletion()
  UnitOfWork(2035008996)--Connection(398132708)--INSERT INTO SVM_PERSONEN (FAX, NAME, ID, [...]) VALUES ([...])
  UnitOfWork(2035008996)--JTS#afterCompletion(org.omg.CosTransactions.Status._StatusRolledBack=4)
  UnitOfWork(2035008996)--release unit of work
  But the end of the transaction is out of the application server code. The transaction ends after the invoke of the applixcation server method, as the stack trace of an occurring exception shows:
  remote exception
  javax.transaction.TransactionRolledbackException: CORBA TRANSACTION_ROLLEDBACK 0 No; nested exception is:
       org.omg.CORBA.TRANSACTION_ROLLEDBACK:
  org.omg.CORBA.TRANSACTION_ROLLEDBACK: com.ibm.websphere.csi.CSITransactionRolledbackException:
       at com.ibm.ejs.csi.TranStrategy.commit(TranStrategy.java:194)
       at com.ibm.ejs.csi.TranStrategy.postInvoke(TranStrategy.java:67)
       at com.ibm.ejs.csi.TransactionControlImpl.postInvoke(TransactionControlImpl.java:414)
       at com.ibm.ejs.container.EJSContainer.postInvoke(EJSContainer.java:1818)
       at de.gedas.svm.server.app.ejb.EJSRemoteStatelessNavigationEJB.findPersonenZulieferer(EJSRemoteStatelessNavigationEJB.java:964)
       at de.gedas.svm.server.app.ejb._EJSRemoteStatelessNavigationEJB_Tie._invoke(_EJSRemoteStatelessNavigationEJB_Tie.java:589)
       at com.ibm.CORBA.iiop.ExtendedServerDelegate.dispatch(ExtendedServerDelegate.java:506)
       at com.ibm.CORBA.iiop.ORB.process(ORB.java:2376)
       at com.ibm.CORBA.iiop.OrbWorker.run(OrbWorker.java:186)
       at com.ibm.ejs.oa.pool.ThreadPool$PooledWorker.run(ThreadPool.java:104)
       at com.ibm.ws.util.CachedThread.run(ThreadPool.java:137)
  So the application server code has no possiblity for special reaction to this error condition.
  How can I use TopLink to execute my SQL statement immidately, not at the the end of the transaction (which is out of the area of my code)? Only the transaction should end at the usual time, managed by the container.

  I don't think there is anyway to currently do this in a JTS managed environment, to handle the exceptions you could,
  - Make use of TopLink session ExceptionHandlers to handle the database errors during the JTS commit.
  i.e.
  uow.setExceptionHandler(yourExceptionHandler);
  or,
  - Let TopLink control the transactions instead of JTS.

• Using container managed form-based security in JSF

  h1. Using container managed, form-based security in a JSF web app.
  A Practical Solution
  h2. {color:#993300}*But first, some background on the problem*{color}
  The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
  In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
  h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
  What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
  - Username
  - Group
  - Password
  The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
  1. Start up your app server and log into the admin interface (http://localhost:4848)
  2. Drill down into Configuration > Security > Realms.
  3. Here you will see the default realms defined on the server. Drill down into the file realm.
  4. There is no need to change any of the default settings. Click the Manage Users button.
  5. Create a new user by entering username/password.
  Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
  I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
  That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
  TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
  h2. {color:#993300}*Step 2: Create the project*{color}
  Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
  1. Start by creating a new Visual Web JSF project.
  2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
  h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
  In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
  1. login.jsp (A Visual Web JSF file)
  2. loginproxy.jspx (A plain JSPX file)
  3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
  Code follows for each of the files:
  h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
      <navigation-rule>
  <from-view-id>/login.jsp</from-view-id>
          <navigation-case>
  <from-outcome>loginproxy</from-outcome>
  <to-view-id>/loginproxy.jspx</to-view-id>
          </navigation-case>
      </navigation-rule>
  NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
  h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root version="2.1"
  xmlns:f="http://java.sun.com/jsf/core"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:jsp="http://java.sun.com/JSP/Page"
  xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
      <jsp:directive.page
  contentType="text/html;charset=UTF-8"
  pageEncoding="UTF-8"/>
      <f:view>
          <webuijsf:page
  id="page1">
  <webuijsf:html id="html1">
  <webuijsf:head id="head1">
  <webuijsf:link id="link1"
  url="/resources/stylesheet.css"/>
  </webuijsf:head>
  <webuijsf:body id="body1" style="-rave-layout: grid">
  <webuijsf:form id="form1">
  <webuijsf:textField binding="#{login.username}"
  id="username" style="position: absolute; left: 216px; top:
  96px"/>
  <webuijsf:passwordField binding="#{login.password}" id="password"
  style="left: 216px; top: 144px; position: absolute"/>
  <webuijsf:button actionExpression="#{login.button1_action}"
  id="button1" style="position: absolute; left: 216px; top:
  216px" text="GO"/>
  </webuijsf:form>
  </webuijsf:body>
  </webuijsf:html>
          </webuijsf:page>
      </f:view>
  </jsp:root>h3. *login.java -- implent the
  button1_action() method in the login.java backing bean*
      public String button1_action() {
          setValue("#{requestScope.username}",
  (String)username.getValue());
  setValue("#{requestScope.password}", (String)password.getValue());
          return "loginproxy";
      }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
  {code}
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
  version="2.0">
  <jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
  doctype-system="http://www.w3.org/TR/html4/loose.dtd"
  doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
  <jsp:directive.page contentType="text/html"
  pageEncoding="UTF-8"/>
  <html>
  <head> <meta
  http-equiv="Content-Type" content="text/html;
  charset=UTF-8"/>
  <title>Logging in...</title>
  </head>
  <body
  onload="document.forms[0].submit()">
  <form
  action="j_security_check" method="POST">
  <input type="hidden" name="j_username"
  value="${requestScope.username}" />
  <input type="hidden" name="j_password"
  value="${requestScope.password}" />
  </form>
  </body>
  </html>
  </jsp:root>
  {code}
  h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
  target page, placed in the secure folder to test access*
  {code}
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root version="2.1"
  xmlns:f="http://java.sun.com/jsf/core"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
  <jsp:directive.page
  contentType="text/html;charset=UTF-8"
  pageEncoding="UTF-8"/>
  <f:view>
  <webuijsf:page
  id="page1">
  <webuijsf:html id="html1">
  <webuijsf:head id="head1">
  <webuijsf:link id="link1"
  url="/resources/stylesheet.css"/>
  </webuijsf:head>
  <webuijsf:body id="body1" style="-rave-layout: grid">
  <webuijsf:form id="form1">
  <webuijsf:staticText id="staticText1" style="position:
  absolute; left: 168px; top: 144px" text="A Secure Page"/>
  </webuijsf:form>
  </webuijsf:body>
  </webuijsf:html>
  </webuijsf:page>
  </f:view>
  </jsp:root>
  {code}
  h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
  This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
  *web.xml will be used to define:*
  - Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
  - Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
  - Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
  *sun-web.xml will be used to define:*
  - This is where you map a Role to the Users or Groups that are allowed to use it.
  +I know this is confusing the first time, but basically it works like this:+
  *Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
  h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
  {code}
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>SecurePages</web-resource-name>
  <description/>
  <url-pattern>/faces/secure/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>HEAD</http-method>
  <http-method>PUT</http-method>
  <http-method>OPTIONS</http-method>
  <http-method>TRACE</http-method>
  <http-method>DELETE</http-method>
  </web-resource-collection>
  <auth-constraint>
  <description/>
  <role-name>User</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name/>
  <form-login-config>
  <form-login-page>/faces/login.jsp</form-login-page>
  <form-error-page>/faces/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description/>
  <role-name>User</role-name>
  </security-role>
  {code}
  h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
  {code}
  <security-role-mapping>
  <role-name>User</role-name>
  <group-name>Users</group-name>
  </security-role-mapping>
  {code}
  h3. {color:#ff6600}*Almost done!!!*{color}
  h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
  h3. {color:#ff6600}*_Gotcha #1_*{color}
  You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
  h3. {color:#ff6600}*_Gotcha #2_*{color}
  Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
  *DONE!!!*
  h2. {color:#993300}*_Here's how it works:_*{color}
  1. The user requests the a page from your context (http://localhost/MyLogin/)
  2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
  3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
  4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
  5. The user enters username and password and clicks a button to submit.
  6. The button's action method stores away the username and password in the request scope.
  7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
  8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
  9. The hidden username and password fields grab the username and password variables from the request scope.
  10. The loginproxy page is automatically submitted with the magic action "j_security_check"
  11. j_security_check notifies the container that authentication needs to be intercepted and handled.
  12. The container authenticates the user credentials.
  13. If the credentials fail, the container forwards the request to the login.jsp page.
  14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
  +Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
  +The user is now at the secure welcome page.+
  If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
  Kerry Randolph

  If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
  This method allows you to create a custom login form and error page using JSF.
  The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
  This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
  I'm new to programming, so none of this may be a good practice, or may not be secure at all.
  I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
  Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
  So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
  --Kerry                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Netinfo Manager - Security Menue problem

  Hi,
  when I try to open the security menu in Netinfo Manager I only get the 'spinning wheel' and nothing else happens.
  The rest of the application works just fine.
  Who knows what to do with that?
  Thanks
  Albert

  Update:
  I just found out that the program is not stuck - it just takes about a minute(!) for the application to expand the security menu. I would consider this as NOT normal - maybe someone has an idea how to resolve this.
  All the other menues work just fine.
  Thanks again!

• Adding an External Application that uses J2EE Form Based Security

  I'm trying to add an External application that uses the J2EE Form based security. i.e. uses j_username, j_password and posts to j_security_check.
  I don't really see how Oracle SSO will support this. The container needs to take control of a clients request and determines when the "Login" page is presented to establish credentials. Posting directly to j_security_check isn't working for me.
  I'm using Sybase EAServer 4.12 as the external application.
  Is this supported in Oracle SSO?
  Do I need to provide a different mechanism for logging user's in?
  Also, can someone explain what the benefit would be if I configured the EAServer app as a "Partner" app? I would still have to provide an interface for login. The input would be different but the end result would be the same I guess. What advantages does a Partner app have?
  Lastly, is there an NNTP server for these forums?
  Thanks.
  Darrell

  The cure for the symtops described below was to simply add a welcome-file-list
  element with appropriate welcome pages to the web.xml descriptor. It makes sense
  now that I have worked it out.
  Todd
  "Todd Gould" <[email protected]> wrote:
  >
  I have an application comprised of several JSPs that are protected via
  Form based
  security and enforce an SSL connection via the appropriate declarations
  in the
  web.xml. This aspect of the application seems to be working with the
  exception
  of one small quirk.
  If a user presses that back button until such time as the receive the
  container
  provided login page once again, and subsequently provide a valid user
  id and password,
  they are NOT successfully logged in. Rather, they receive the ugly 403
  Forbidden
  error that states that the server understood the request, but is refusing
  to fufill
  it. This only seems to happen given the above course of events involving
  the
  use of a back button in the browser (or selection of an item from the
  history
  list). I suspect that this has something to do with the session id being
  cached
  or something, but I'm not sure? Can anyone offer any assistance on this
  one?
  Also, does anyone know of a way of preventing the user from bookmarking
  this container
  provided login page as this also seems to be causing problems for users.
  If they
  bookmark the first protected page of the application all is fine, but
  if they
  bookmark the login page they receive the 403 error.
  Thanks in advance!

• The OMS is not set up for Enterprise Manager Security

  Hi, I'm trying to add an agent to grid control and its not connecting with the management server because i cant secure it...
  bash-2.05$ ../../bin/emctl secure agent <password>
  Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  Agent is already stopped... Done.
  Securing agent... Started.
  Requesting an HTTPS Upload URL from the OMS... Failed.
  The OMS is not set up for Enterprise Manager Security.
  i have tried this on two seperate servers, both do the exact same thing. However, on my repository server where the OMS is housed, i can secure the agent no problem. Does anyone know what the problem could be? My OMS is on a Linux (SuSE 10.2) 32-bit machine.
  heres the emdctl.trc on the agent machine:
  2007-07-11 11:00:20 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:00:21 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:00:21 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:00:21 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:00:21 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:00:22 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:00:22 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:05:10 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:05:10 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:10:08 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:10:08 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  bash-2.05$ lsof | grep 3872
  bash-2.05$
  seems to be failing the connect but nothing is running on the port so i'm not sure why
  Thanks in advance
  Message was edited by:
  user581869

  some further information and hopefully someone can help me...
  I went to the OMS binary folder (fmc45712:$OMS_HOME/bin) and executed the following commands...
  $OMS_HOME/opmn/bin/opmnctl stopall
  $OMS_HOME/bin/emctl stop oms
  $OMS_HOME/bin/emctl secure oms
  $OMS_HOME/bin/emctl start oms
  $OMS_HOME/opmn/bin/opmnctl startall
  then i go to $AGENT_HOME on the OMS machine (fmc45712:$AGENT_HOME/bin) and execute..
  $AGENT_HOME/bin/emctl status agent -secure
  Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  Checking the security status of the Agent at location set in /opt/oracle/OracleHomes/agent10g/sysman/config/emd.properties... Done.
  Agent is secure at HTTPS Port 3872.
  Checking the security status of the OMS at http://fmc45712:4889/em/upload/... Done.
  OMS is secure on HTTPS Port 1159
  I then to go the server i deployed the agent on that i want to get communicating wtih my OMS...
  $AGENT_HOME/bin/emctl status agent -secure
  Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  Checking the security status of the Agent at location set in /u101/em/agent10g/sysman/config/emd.properties... Done.
  Agent is unsecure at HTTP Port 3872.
  Checking the security status of the OMS at http://fmc45712:4889/em/upload/... Done.
  OMS is running but has not been secured. No HTTPS Port available.
  same command, different computer, but on the same network, and it just doesn't work. The OMS is on Linux x86 and the agent on the alternate computer is on HP-UX. If anyone has any help it'd be much appreciated.