Auto-login using cookies
I have been prototyping and researching Weblogic authentication for several weeks
now. With a form-based login servlet, how would one implement auto-login? Basically,
the web site is supposed to set a persistent cookie which contains the users login
information (encrypted). When the user comes back, they should be logged in automatically.
This seems like a pretty common concept, but totally unsupported by J2EE. I have
looked into using filters, but ran into several problems. First, filters don't
get executed on a protected resource unless the user is authenticated. I don't
want to use Weblogic's AuthFilter since it's deprecated. Secondly, I tried modifying
my login servlet to forward to j_security_check. That doesn't work because Weblogic
won't let you. There is a workaround for that, but j_security_check ignores whatever
wrapper you put around HttpServletRequest. This makes it impossible to "login"
for the user. Third, I tried using ServletAuthentication.weak() to manually authenticate
the user, but how do I redirect the user back to the intended URL? I figured
out where Weblogic stores the URL in the HttpSession, but that's not officially
documented.
I noticed some references in Weblogic's Portal product that it supports auto-login.
However, I haven't figured out how to do it myself in a Weblogic server.
I am using Weblogic 7 sp2. Thanks in advance.
Chun,
what you need to do is to implement is a Perimeter Authentication. I did that
successfully with SP2. You have to use SP2, because in SP1 there qas no way to
supress that all cookies are BASE64 decrypted.
What helped me a lot is to study SampleSecurityProvidersUnmanaged.zip that you
can download from
dev2dev/code
Enjoy!
Cheers.
Frank
"Chun Hsu" <[email protected]> wrote:
>
I have been prototyping and researching Weblogic authentication for several
weeks
now. With a form-based login servlet, how would one implement auto-login?
Basically,
the web site is supposed to set a persistent cookie which contains the
users login
information (encrypted). When the user comes back, they should be logged
in automatically.
This seems like a pretty common concept, but totally unsupported by J2EE.
I have
looked into using filters, but ran into several problems. First, filters
don't
get executed on a protected resource unless the user is authenticated.
I don't
want to use Weblogic's AuthFilter since it's deprecated. Secondly, I
tried modifying
my login servlet to forward to j_security_check. That doesn't work because
Weblogic
won't let you. There is a workaround for that, but j_security_check
ignores whatever
wrapper you put around HttpServletRequest. This makes it impossible
to "login"
for the user. Third, I tried using ServletAuthentication.weak() to manually
authenticate
the user, but how do I redirect the user back to the intended URL? I
figured
out where Weblogic stores the URL in the HttpSession, but that's not
officially
documented.
I noticed some references in Weblogic's Portal product that it supports
auto-login.
However, I haven't figured out how to do it myself in a Weblogic server.
I am using Weblogic 7 sp2. Thanks in advance.
Similar Messages
-
Remember Login using cookies and javascript
Hello all,
This is an urgent request. Pls reply asap.
I have two jsps one in English and other in french. I need to implement a functionality to remember the username in both these jsps. I have a function written in javascript to check if the "remember me" checkbox is enabled and then remember the user name. But it is not working as expected. It remembers in one jsp and if i go to french jsp all the info is lost.
Can you pls help me? Sample code would help.
I guess the cookie works only for the jsps under certain folder path say en/jsp/.. and fr/jsp/..<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Login Form</title>
</head>
<body>
<form name="login" method="post" action="Home.jsp">
Email : <input type="text" name="email" /><br />
Password : <input type="password" name="password"/><br />
<input type="checkbox" name="rememberChk" value="on" />Remember Me <br/>
<input type="hidden" name="remember" value="0"/>
<input type="button" value="Sumbit" onClick="submitForm()"/>
</form>
</body>
<script>
<%
String email="";
String password="";
Cookie cookies [] = request.getCookies ();//Get All Cookies from Client Device
if (cookies != null){//Check cookies are available
for (int i = 0; i < cookies.length; i++){
if (cookies .getName().equals("password")){
password=cookies[i].getValue();//Password which is saved on cookie
break;
for (int i = 0; i < cookies.length; i++){
if (cookies [i].getName().equals ("email")){
email=cookies[i].getValue();//Email which is saved on cookie
break;
}%>
function submitForm()//Submit function with checkbox determined value
if(document.login.rememberChk.checked)
document.login.remember.value = 1;
else
document.login.remember.value = 0;
document.login.submit();
document.login.email.value="<%=email%>";
document.login.password.value="<%=password%>";
</script>
</html>
login.jsp
<%@ page contentType="text/html; charset=iso-8859-1" language="java"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Home Page</title>
</head>
<body>
<a href="logout.jsp">Logout</a><br />
<%
String email;
String password;
String remember;
email = request.getParameter("email".toString());
password = request.getParameter("password".toString());
remember = request.getParameter("remember");
*if Remember Checkbox is Checked
*then Save Email and passwod into Cookie
*and Add Cookies into response/Client Device
if(remember.equals("1")){
Cookie pass = new Cookie("password",password);
Cookie emailAdd = new Cookie("email",email);
//Setting maximum Expiry Date Of Cookies
pass.setMaxAge(365);
emailAdd.setMaxAge(365);
//Make Persistent Cookie onto Client Device
response.addCookie(pass);
response.addCookie(emailAdd);
%>
<h4>Welcome - <%=email%> </h4>
Your password is : <%=password%> <br />
</body>
</html>
Home.jsp
<%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*" errorPage="" %>
<html>
<%
Cookie cookies [] = request.getCookies ();//Get All Cookies from Client Device
if (cookies != null){//Check cookies are available
for (int i = 0; i < cookies.length; i++){
if (cookies .getName().equals("password")){
Cookie cookie = cookies[i];
cookie.setMaxAge(0);
response.addCookie(cookie);
break;
for (int i = 0; i < cookies.length; i++){
if (cookies [i].getName().equals ("email")){
Cookie cookie = cookies[i];
cookie.setMaxAge(0);
response.addCookie(cookie);
break;
response.sendRedirect("login.jsp");
%>
</html>
logout.jsp -
Auto Login using Trancation Launcher in ICWC
I want to launch SAP R/3 Create Service Order (IW31) with ITS from the ICWC. I have configured the Transaction Launcher, and can invoke the ITS. But the problem is the user always has to enter the R/3 login ID and password. Is there a way to keep the login ID and password in some parameter? We don't use Enterprise Portal or Single Signon facility.
Thanks for your guidance.
Budi S. RustandiYou have to setup a trusted - trusting relation between
CRM - R/3 .
follow this link..
http://help.sap.com/saphelp_erp2005/helpdata/en/22/042671488911d189490000e829fbbd/frameset.htm -
Other than my misspelling, the sentence sums it up pretty well. Some other details are that the website isn't in the save passwords. I've seen this with IE8 as well, thus wondering if it's just a setting that's being missed. Already tried clearing the cookies.
Try one of these extensions for multiple cookie sessions.
Multifox: <br />
http://br.mozdev.org/multifox/ <br />
Cookie Swap extension: <br />
https://addons.mozilla.org/firefox/3255/ <br />
Cookie Pie extension: <br />
http://www.nektra.com/oss/firefox/extensions/cookiepie/ -
Does anyone know or can suggest a way for the IFS Portlet to auto login, using a guest account.
IFS ver. 9.0.1.1 (Win2K)
iAS ver. 1.2.2.2 (Win2K)
Thanks in advance.To login straight to iFS:
http://myserver:7777/ifs/files/ifs/webui/jsps/login.jsp?step=try&action=Login&userName=myusername&passWord=mypassword
To login to iFS and redirect to a document:
in the iFS, in root\ifs\webui\jsps make a copy of
PortletLogin.jsps, call it MyPortletLogin.jsps. Open it in JDeveloper, change the lines:
from -
String url = request.getParameter("forward");
url = url+"&"+IfsPortletRenderer.SUCCESS+"="+token;
response.sendRedirect(url);
to -
String url = WebUIUtils.getUTF8Parameter(request, "Forward");
response.sendRedirect(url);
Then call it from a browser:
http://myserver:7777/ifs/files/ifs/webui/jsps/MyPortletLogin.jsp?step=try&action=Login&userName=myusername&passWord=mypassword&Forward=MyPathToTheDocumentToLaunch -
How to auto login to facebook using "chrome.exe or default browser" .
how to auto login to facebook using "chrome.exe or default browser" .
Please see the Facebook API for information on automating Facebook. If you have a specific VB question, please create a new post which includes detail about your application and the specific problem you
are having. There is not enough information here to make this a VB question we can assist with.
Moving to off-topic.
Reed Kimble - "When you do things right, people won't be sure you've done anything at all" -
Hello!!
I´m developing a Sharepoint 2013 login form (Sharepoint 2013 application) and I need to check if a cookie generated in another Web app is present then login using information stored in this cookie (No critical info stored here). I know the cookie is generated
but I can´t read it from the sharepoint app. When I check if the cookie exists the cookie is null.
Edit
Right now, this application used to Log In is a Single Sign On app, it is used by multiple applications in the organization (Via an authentication coookie). What I need to do is that my Sharepoiint Login page calls this application which generates a cookie
(not authentication coookie) its a normal cookie whith some information that will allow me to login and generate the security token via my membership provider in my sharepoint app.
Any additional steps or something I need to do for this to work?Hi,
According to your description, my understanding is that you want to call the cookie which generated in Single Sign On app in your SharePoint login page.
If your SharePoint app and the SharePoint single sign on app are in the same domain, you can set the cookie with a
domain level asp.net authentication cookie using setAuthCookie
and some web.config changes.
Here is a code demo for your reference:
Single Sign-on in ASP.NET and Other Platforms
Thanks
Best Regards
Jerry Guo
TechNet Community Support -
I have not upgraded to Firefox 3.6 yet because I am unable to use loginking software for auto login. When will a future update not exclude me from using this software?
I contacted Login King but never got a response. So, I'm hoping that a future update from Firefox will be the answer. How far off is 3.7?
-
How to define and use cookies so that same login is used on all application
Hi
I have 3 apps in a single workspace and all of them SSO enabled
However when I go from one apps to other, it ask for login again
I have read in the forum that we can use cookies so that we use the single login on all apps within the same workspace
But I'm not sure how to define and use cookies.Please assistSee this presentation:
http://www.sumneva.com/apex/f?p=15000:395:0::NO::P395_PRESENTATION_KEY:MANY_TO_ONE -
How to configure LDAP SSL using auto login wallet?
Hello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno LavoieHello,
I need to enable authentication over LDAP SSL.
I've configured a wallet (auto login) containing required certificates and set accordingly WALLET_PATH and WALLET_PWD settings using apex_instance_admin.set_parameter method.
With this, everything is working fine and LDAP over SSL is working well. It confirms that the wallet is properly configured, valid and usable.
So, the wallet was created with auto login option and it seems to work well without specifying password when calling utl_http.
Proof of properly configured auto login wallet (without password).
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- test without wallet
BEGIN show_html_from_url('https://www.verisign.com/'); END;
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1527
ORA-29261: bad argument
ORA-06512: at "TEST01.SHOW_HTML_FROM_URL", line 25
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 1TEST01@DB11G> exec utl_http.set_wallet('file:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin'); -- set wallet info for use without password (autologin)
PL/SQL procedure successfully completed.
TEST01@DB11G> exec show_html_from_url('https://www.verisign.com/'); -- It works!
PL/SQL procedure successfully completed.
So, when I configure WALLET_PATH without WALLET_PWD, it not seems to work as it should with my auto login wallet...
What am I missing? Is it APEX not handling auto login wallets correctly?
Apex Version: 4.2.0.00.27
OS: OEL 6.4
DB: 11.2.0.3 x64
Thanks
Bruno Lavoie -
Auto-Login into these forums here possible ? Enabling by cookie ?
I would appreciate if there is an auto-login into these forums from Oracle.
Currently every time I re-visit the forum pages I have to type in my login+passwd again.
Usually in hundreds of other forums there is an auto-login option selectable.
Could enable this forum feature?You can post enhancement suggestions in the feedback forum
Community Feedback (No Product Questions) -
Auto login in AUR with Firefox.
Is there a way to auto login into AUR with Firefox. Now when I get there, the username and password is filled in. But I would like to be logged in. I think Opera does it.
Possible?It should work, I've updated my FF last week and had no problem so far. Actually I'm using FireFox 2.0.0.8 to post this message. I have noscript extension as well.
All you need to do is enable cookies for forms.oracle.com/ and set it as whitelisted if you have any security extensions.
Tony -
Auto Login With Request Parameters
Hello
I am working on a test JSF application in NetBeans 5.5 using the visual web pack. Currently there are only two pages in the app, a login page and a main page.
I am trying to figure out how I could set up an auto login to a JSF based web app. I would like the app to be able to take username and password parameters on the URL and automatically attempt to log into the app with those values. When the URL contains these parameters and they're valid, instead of displaying the login page, it would start up with the main page displayed. If the paramters were not present or invalid, the login page would be displayed.
I've read about how to pull request parameter values into from a JSP page, but I don't think that would helpful for this case. I have instances of ApplicationBean, SessionBean and RequestBean in the project. I'm wondering if any of these would be the appropriate place to add some code to check for the parameters, attempt to login and display the correct page based on the login result.
And advice greatly appreciated.
ShelliI'll be so kind to share a basic example I've been playing with a while ago :)
public class UserFilter implements javax.servlet.Filter {
@SuppressWarnings("unused")
private FilterConfig filterConfig;
public void init(FilterConfig filterConfig) {
this.filterConfig = filterConfig;
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
// Check PathInfo.
HttpServletRequest httpRequest = (HttpServletRequest) request;
String pathInfo = StringX.trim(httpRequest.getRequestURI(), httpRequest.getContextPath());
if (pathInfo.indexOf(PATH_INC + "/") == 0 || pathInfo.indexOf(MAIN_JSF) == 0) {
// If include files are loaded (subviews, images, css, js) or if unfriendly URL is
// requested somehow, then continue the chain and abort this filter. In case of
// unfriendly URL's, the next filter in the chain is the FriendlyUrlFilter which
// translates the URL and will redirect back to this filter.
chain.doFilter(request, response);
return;
// Get UserSession from HttpSession.
HttpSession session = httpRequest.getSession();
UserSession userSession = (UserSession) session.getAttribute(SESSION_ID);
if (userSession == null) {
// No UserSession found in HttpSession; lookup SessionId in cookie.
String sessionId = Context.getCookieValue(httpRequest, COOKIE_ID);
if (sessionId != null) {
// SessionId found in cookie; lookup UserSession by SessionId in database.
userSession = new UserSession();
userSession.setSessionId(sessionId);
LoadQuery<UserSession> loadQuery = new LoadQuery<UserSession>(userSession);
try {
Dao.execute(loadQuery);
userSession = loadQuery.getOne(); // This can be null.
// If this is null, then session is just deleted from DB or the cookie is fake.
Logger.info("Loading usersession succeed: " + userSession);
} catch (DaoException e) {
Logger.error("Loading usersession failed.", e);
if (userSession == null) { // loadQuery.getOne() can return null.
// No SessionId found in cookie, or no UserSession found in DB; create new UserSession.
sessionId = StringX.getUniqueID();
userSession = new UserSession(sessionId);
try {
Dao.execute(new SaveQuery<UserSession>(userSession));
Logger.info("Creating usersession succeed:" + userSession);
} catch (DaoException e) {
Logger.error("Creating usersession failed.", e);
// Put SessionId in cookie.
HttpServletResponse httpResponse = (HttpServletResponse) response;
Context.setCookieValue(httpResponse, COOKIE_ID, sessionId);
// Set UserSession in current HttpSession.
session.setAttribute(SESSION_ID, userSession);
// Add hit and update UserSession.
userSession.addHit();
try {
Dao.execute(new SaveQuery<UserSession>(userSession));
Logger.info("Updating usersession succeed:" + userSession);
} catch (DaoException e) {
Logger.error("Updating usersession failed.", e);
// Continue filtering.
chain.doFilter(request, response);
public void destroy() {
this.filterConfig = null;
}By the way, the 'User' DTO is wrapped in the UserSession which can be retrieved in the backing bean by:
public User getUser() {
return ((UserSession) Context.getSessionAttribute(SESSION_ID)).getUser();
}If the User is not logged in, then this is null. If the user is logged in, then put the User in the UserSession object. -
Auto login problem in Discoverer -- Urgent Help
Hi All,
I'm trying to call discoverer 4i plus from viewer.
I did auto login for discoverer 4i plus for 9i AS(2.1).It worked
fine. I did the same for 9i AS(2.2).Basically i tried to get
login inforamtion from cookies in webdisc.js file .The edited
webdisc.js like this
var user = getCookie ("Username");
If i remove this line my discoverer 4i plus works fine without
having any problem.if add the above code then i get the
following error
"Unable to connect to the Oracle Discoverer Application server.
Failed to connect to session XXXOracleDiscovererSession4 using
OSAgent."
Any help please..
Thanks in advance,
SapnaHi Jerome ,
Thanks for the reply.
I installed 9iAS(2.2) on NT. clint is on WIN2000.
Are u using cookies?
In my viewer, i've provided a link to plus. When an user hit
this link it should take the userid from viewer and auto logins
to plus. In viewer, i'm putting the userid and password in a
cookie and reads the information from cookie in webdisc.js(This
is disco plus script file for auto login)
I did the whole process in 9iAS(2.1) it works fine. Only this
version(2.2) i'm getting the error
"Unable to connect to the Oracle Discoverer Application server.
Failed to connect to session XXXOracleDiscovererSession4 using
OSAgent."
I'm interested to know how u did auto login on NT using <PARAM>
tag.
Best Regards,
Sapna -
Ok, this is probably a simple one. We are using cookies for auto-login
functionality which will be added to an already existing site. The problem
appears to be that existing users who already have the page bookmarked,
most-likely have bookmarks that contain a specific session ID. Since this
session ID does not match the session ID when the cookie was stored, it
doesn't recognize the cookie for autologin. Anyone know of an easy way to
keep it from checking the session id?What are the other cookie permissions for this domain?
Does it work if you temporarily enable third-party cookies for visited websites or all third-party cookies as a test?
*Tools > Options > Privacy > Firefox will: "Use custom settings for history"
You can inspect and manage the permissions for all domains on the <b>about:permissions</b> page or for the domain in the currently selected tab via these steps:
*Click the "Site Identity Button" (globe/padlock) on the location bar
*Click "More Information" to open Page Info
*Go to the Permissions tab
*Tools > Page Info > Permissions
*https://support.mozilla.org/kb/how-do-i-manage-website-permissions
You can delete the permissions.sqlite file to reset all permissions.
Maybe you are looking for
-
Merging two Apple IDs into one
I created a new Apple ID about a year ago when I changed my email. I didn't realize that my old music was tied to the old account. I can access it if I sign in to the old account, but it's really cumbersome to go back and forth between the two accoun
-
Files from Windows Vista do not open in Bridge CS5
I am having trouble opening my images from Window Explorer level with Bridge. I tried to open my jpgs with "open with" option and my PC does nothing. Same happens when I double click the raw images. I have my jpgs assigned to open in windows but I a
-
Transfer of line to BT but given new number SAGA c...
Following on from my previous message, I still haven't been able to get my old number transferred back to BT despite several assurances this would be done. I phoned up again last week and this time was told a request would be put in the "number trans
-
Hello everyone. I have a problem with my blackberry Z10, each time i reboot the equipament, i lost the configuration the date and time. At he end of day i will make a backup and reset the equipament, if the solution resolve my problem. Anyone know wh
-
Spry menu bar submenu disappears when cursor changes
Hello. I've been working with a spry menu bar for some time, but when I expand the submenu and then move the cursor over some text on the page (where the sub-menu is on top of), the submenu disappears. In other words, it seems that when the cursor ch