Behavior in form-based authentication

Similar Messages

• J_security_check in form-based authentication - not checking for blank passwords

  I am using the LDAP Security Realm to authenticate against an iPlanet
  Directory Server. All works as expected when a user-id and password
  are entered for form-based authentication.
  However, when a userid is entered but no password, j_security_check
  logs the user in successfully. Aparently, this is correct LDAP
  behaviour as anonymous login to the LDAP server is permitted. It seems
  that the j_security_check servlet should check for blank passwords
  before trying to authenticate against the LDAP server and fail
  authentication if this is the case.
  Has anyone else experienced this problem?

  Hi Brian,
  I do not believe it is j_security_check's job to check for blank
  passwords.
  In many security realms, it is "legal" for a user to have a blank
  password. j_security_check forwards whatever password was entered so that
  even users with blank passwords can be authenticated by the realm on the
  backend. For this reason I believe that j_security_check is "doing the
  right thing" by just forwarding whatever is presented to it, rather than
  having its own logic. It is best if j_security_check just acts as a very
  dumb middle man.
  If behavior was altered, it is true that your particular problem would be
  solved, but then many other people would have a problem with their users
  with blank passwords authenticating properly...
  Try looking into how to disable anonymous logins on the LDAP end of
  things. Hope this helps.
  Cheers,
  Joe Jerry
  brian wrote:
  I am using the LDAP Security Realm to authenticate against an iPlanet
  Directory Server. All works as expected when a user-id and password
  are entered for form-based authentication.
  However, when a userid is entered but no password, j_security_check
  logs the user in successfully. Aparently, this is correct LDAP
  behaviour as anonymous login to the LDAP server is permitted. It seems
  that the j_security_check servlet should check for blank passwords
  before trying to authenticate against the LDAP server and fail
  authentication if this is the case.
  Has anyone else experienced this problem?

• FORM Based Authentication and Browser Refreshing

  We are using FORM Based Authentication in our web application and it works rather well. I have noticed an interesting bit of behavior that I am unable to explain. After an attempt is made to access the first protected resource the container will display the login page specified in the web.xml file. After successful authentication the original protected resource is displayed as expected. In the Address line of the browser however the original URI requested is now replaced with the following:
  http://<domain>:<port>/<root>/j_security_check
  Now, when we hit the refresh button on the browser we get the following error:
  404 Not Found
  Resource /<domain>/j_security_check not found on this server
  Two questions. 1. why does it do this? and/or (more importantly) 2. How do I prevent this behavior or work around it?

  I�m trying to figure out how to pass the user�s ID
  and password, using form-based authentication and
  file realm, to our JDBC connection. Two separate issues.
  I've usually seen it done where there are three tiers, of course. The user provides login credentials from the view tier, which are passed to the controller tier. The controller will validate the user against a database or LDAP. Once they're validated, the credentials are put into session and provided for all apps that need them, including the persistence tier.
  The connection pool requires that you create connections using an application ID, not the user ID. You have to move the security out of the database and into the application.
  %

• Form-based authentication in a non-webapp

  Using Weblogic 5.1 SP8. Our application is not packaged as a web
  application. It is configured via weblogic.properties.
  I want to have form-based authentication that forces the user to login if he
  attempts to access any page in the site. It looks to me like I could easily
  do this using if I were using a web application by using the <login-config>
  settings.
  Is there some way to get the same behavior without converting to a web
  application?
  Thanks!

  John Lindwall wrote:
  Is there some way to get the same behavior without converting to a web
  application?If you roll your own security mechanism that reads the specified XML
  descriptor, sure.
  Cheers,
  Alexander Petrushko
  mailto:[email protected]
  Consulting Services available
  Freemarker vs JSP:
  http://javaworld.com/javaworld/jw-01-2001/jw-0119-freemarker.html

• Catching authentication exception in form-based authentication

  Hi.
  I have a custom UserManager that implements a simple authentication of username/password.
  The web-application is secured using a form-based login-config in web.xml with a form-login-page and a form-error-page. Both these resources points to the same page (login.jsp).
  I want to present a relevant error message when the user fails to log-in (providing wrong username or password, or there is an exception in the UserManager). As far as I can tell there is no way to handle this in a straight-forward manner: When I throw an exception in the UserManager this exception is swallowed by OC4J and never propagates to the form-error-page specified in web.xml. All I can do is to provide a "default" message on the error-page saying "Failed to login". There is no way to tell if the login failed due to invalid username/password or if the login failed due to an unexpected exception in the UserManager implementation (i.e. SQLException).
  I can go around this by storing the relevant error message in a ThreadLocal variable from the UserManager and retrieve this message from the error jsp page. But this is ugly :)
  Shouldn't the form-error-page receive a Throwable in the exception-object? Or is the behavior in OC4J the "standard" way to handle these issues?
  Best Regards //Anders

  Since no one is replying I'm refreshing the thread with some more info..
  Cut from the Servlet 2.3 Specification (in SRV.12.5.3, Form Based Authentication):
  When a user attempts to access a protected web resource, the container checks the user s authentication.
  If the user is authenticated and possesses authority to access the resource, the requested web resource is activated and a reference to it is returned.
  If the user is not authenticated, all of the following steps occur:
  1. The login form associated with the security constraint is sent to the client and the URL path triggering the authentication is stored by the container.
  2. The user is asked to fill out the form, including the username and password fields.
  3. The client posts the form back to the server.
  4. The container attempts to authenticate the user using the information from the form.
  5. If authentication fails, the error page is returned using either a forward or a redirect, and the status code of the response is set to 401.
  6. If authentication succeeds, the authenticated user s principal is checked to see if it is in an authorized role for accessing the resource.
  7. If the user is authorized, the client is redirected to the resource using the stored URL path.
  The error page sent to a user that is not authenticated contains information about the failure.
  The last sentence could be interpreted as "The container should provide the error page with a valid exception object".
  How is this implemented in other servlet containers - JBoss, Websphere, Weblogic, Orion?
  //Anders

• Forcing specific clients or groups to use forms based authentication (FBA) instead of windows based authentication (WIA) with ADFS

  Hi,
  We are have a quite specific issue. The problem is most likely by design in ADFS 3.0 (running on Windows Server 2012 R2) and we are trying to find a "work-around".
  Most users in the organization is using their own personal computer and everything is fine and working as expected, single sign-on (WIA) internally to Office 365 and forms based (FBA) externally (using Citrix NetScaler as reverse proxy and load
  balancing with the correct rewrites to add client-ip, proxy header and URL-transformation).
  The problem occurs for a few (50-100) users where they are sharing the same computer, automatically logged on to the computer using a generic AD-user (same for all of them). This AD-user they are logged on with does not have any access to Office365
  and if they try to access SharePoint Online they receive an error that they can't login (from SharePoint Online, not ADFS).
  We can't change this, they need to have this generic account logged on to these computers. The issue occurs when a user that has access to SharePoint Online tries to access it when logged on with a generic account.
  They are not able to "switch" from the generic account in ADFS / SharePoint Online to their personal account.
  The only way I've found that may work is removing IE as a WIA-capable agent and deploy a User-Agent version string specific to most users but not the generic account.
  My question to you: Is there another way? Maybe when ADFS sees the generic user, it forces forms based authentication or something like that?
  Best regards,
  Simon

  I'd go with your original workaround using the user-agent and publishing a GPO for your normal users that elects to use a user-agent string associated with Integrated Windows Auth.. for the generic accounts, I'd look at using a loopback policy that overwrites
  that user agent setting, so that forms logon is preferred for that subset of users. I don't think the Netscaler here is useful in this capacity as it's a front-end proxy and you need to evaluate the AuthZ rules on the AD FS server after the request has been
  proxied. The error pages in Windows Server 2012 R2 are canned as the previous poster mentioned and difficult to customize (Javascript only)...
  http://blog.auth360.net

• Issue with form based Authentication in three tier sharepoint 2013 environment.

  Hi,
  We are facing issue with form based Authentication in three tier environment.
  We are able to add users to the database and in SharePoint.
  But we are not able to login with created users.
  In single tier everything working fine
  Please help , Its urgent ... Thanks in advance.
  Regards,
  Hari
  Regards, Hari

  if the environments match, then it sounds like a kerberos double-hop issue
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• Error re-logging in after session timeout using form-based authentication

  Hello,
  We have a web app configured for form-based authentication. When the session times out, we're redirected to our login page as expected. However, after re-logging in, we are not redirected to the desired page (e.g., /faces/OurMainPage.jspx) but to /afr/page_lev_idle.gif.
  Do we have to do anything special for session timeouts?
  Thanks,
  Rico

  Some extra information that might help:
  After re-logging in and we're in /afr/page_lev_idle.gif, we hit the browser Back button (showing the login page again) and then hit the browser Refresh/Reload button and voila we're at the page we expect to be.
  Rico

• How to redirect to j_security_check without the form based authentication

  Hi,
  I am trying to integrate my application authentication to a backend system with the ibm websphere form based authentication. Below is the scenario:
  1. when the user clicks on a protected url, the container will redirect the user to the login page.
  2. instead of displaying the login page, i would like to automatically redirect the user to j_security_check action. which means that instead of displaying the login.jsp page, the user will automatically be redirected to j_security_check to perform some user authentication, and if successful, the application pages will be displayed.
  The reason i want to auto redirect the user to j_security_check is because i am implementing some integration work with a backend system. the user will key in the username/password from another system. once the user is authenticated, the user information will be passed to my system. The login page of my system will not be displayed again, and by using the username value, my system will assume that the user has successfully been authenticated (authentication done by the backend system), and therefore automatically gain authorization to login into my application.
  i hope that clarifies my problem.
  anyone out there has any solution to my problem?
  thanks a lot in advance.

  Hi Darren,
  Let me explain the whole authentication environment.
  There are actually 2 systems in this environment. Let;s call it system A and system B.
  System B is actually using the authentication mechanism that i described in my previous message.
  A login page will be presented to the user (within system A). User credential is collected and passed to system A to be authenticated. System A will use its own mechanism to authenticate the user.
  Once the user is authenticated, system A will pass the user ID to system B. At this point, system B will assume that the user is authenticated and grant authorization to access the application. (system B global security is enabled and implements the form based authentication mechanism) Therefore, at this point, the redirect page (so called login page) will not be displayed to the user, instead it will be automatically redirected to the j_security_check action to execute the customer Ldap Registry class. (ps : eventhough authentication is no longer needed, the flow will still go to Ldap Registry class. A check is done in the Ldap Registry class to skip the authentication, if it is not boot strap login. Only first and only time authentication is done for boot strap login).
  In the case a protected url is clicked or invoked by the user directly, the application will redirect the user to the initial login of system A. Otherwise (the url link originates from system A, during the passing of user token to system B), system B will redirect to j_security_check and execute the customer Ldap Registry class.
  Based on the above explained scenario, in your opinion, is there any security loopholes? consider that system B no longer perform authentication but only to grant authorization to the user.
  Appreciate your advice. Thanks in advance
  Anyway, i am using the ibm websphere server. :)

• Logout Functionality in Form Based Authentication Not Working Properly

  Hi All,
  I am using Form Based Authentication in ADF. In this I followed the following steps:-
  1.Login On Page.
  2.In successful login page ,copy the url
  3.Click on "Logout"
  4.Paste the url in login page and click enter
  5.System taking me back to that page where I can perform all the actions.
  But the Login operation should not happen just by entering the url. Please provide any help how to stop redirecting to my authenticated page just by typing the url. This is a big security constraint.Any Assistance to this is highly appreciated.
  Thanks & Regards
  Lovenish Garg

  Hi BaiG,
  For Login I am using the form based authentication and for logout here is my code:-
  public void logout() {
  ExternalContext ectx =
  FacesContext.getCurrentInstance().getExternalContext();
  HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
  HttpSession session = (HttpSession)ectx.getSession(false);
  session.invalidate();
  response.setHeader("Cache-Control", "no-cache");
  response.setHeader("expires", "0");
  response.setHeader("Pragma", "no-cache");
  try {
  response.sendRedirect("AdminLogin.html");
  } catch (IOException e) {
  logger.severe(e.getMessage());
  //Inform JSF to not take the response in hands
  FacesContext.getCurrentInstance().responseComplete();
  logger.info("session invalidated");
  Thanks,
  Lovenish Garg

• Faces context not found (Form based authentication)

  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <url-pattern>/jsp/WorkingZone.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>manager</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Example Form-Based Authentication Area</realm-name>
  <form-login-config>
  <form-login-page>/Login/login.jsp</form-login-page>
  <form-error-page>/Login/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  when i tried to login with valid user the the url shows
  http://localhost:8080/FormAuth/jsp/WorkingZone.jsp
  how to append faces context automatically.
  I am not finding for this faces context.
  Plz suggest me a solution soon.
  Thanks
  Raghavendra Pattar

  The FacesContext is created by FacesServlet which is
  definied in the web.xml with an url-pattern.
  If you just follow the url-pattern of this
  FacesServlet, usually /faces/ or *.faces, or *.jsf,
  then the FacesContext will be created.Hi balu,
  this is the web.xml that i am using
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
  <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>server</param-value>
    </context-param>
  <context-param>
      <param-name>javax.faces.CONFIG_FILES</param-name>
      <param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
    </context-param>
  <context-param>
      <param-name>com.sun.faces.validateXml</param-name>
      <param-value>true</param-value>
    </context-param>
  <context-param>
      <param-name>com.sun.faces.verifyObjects</param-name>
      <param-value>false</param-value>
    </context-param>
  <filter>
      <filter-name>UploadFilter</filter-name>
      <filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
      <init-param>
        <description>
            The maximum allowed upload size in bytes.  If this is set
            to a negative value, there is no maximum.  The default
            value is 1000000.
          </description>
        <param-name>maxSize</param-name>
        <param-value>1000000</param-value>
      </init-param>
      <init-param>
        <description>
            The size (in bytes) of an uploaded file which, if it is
            exceeded, will cause the file to be written directly to
            disk instead of stored in memory.  Files smaller than or
            equal to this size will be stored in memory.  The default
            value is 4096.
          </description>
        <param-name>sizeThreshold</param-name>
        <param-value>4096</param-value>
      </init-param>
    </filter>
  <filter-mapping>
      <filter-name>UploadFilter</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
    </filter-mapping>
  <servlet>
      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
  <servlet>
      <servlet-name>ThemeServlet</servlet-name>
      <servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
    </servlet>
  <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
  <servlet-mapping>
      <servlet-name>ThemeServlet</servlet-name>
      <url-pattern>/theme/*</url-pattern>
    </servlet-mapping>
  <welcome-file-list>
      <welcome-file></welcome-file>
       </welcome-file-list>
  <jsp-config>
      <jsp-property-group>
        <url-pattern>*.jspf</url-pattern>
        <is-xml>true</is-xml>
      </jsp-property-group>
    </jsp-config>
  <security-constraint>
      <display-name>Example Security Constraint</display-name>
      <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
          <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>manager</role-name>
      </auth-constraint>
    </security-constraint>
    <!-- Default a login configuration that uses form-based authentication -->
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/Login/login.jsp</form-login-page>
        <form-error-page>/Login/error.jsp</form-error-page>
      </form-login-config>
    </login-config>
    <!-- Define a logical role for this application, needs to be mapped to an actual role at deployment time -->
    <security-role>
      <role-name>manager</role-name>
    </security-role>
  </web-app>1)My requirement is Login page should be the first page
  If enter the valid user and password
  then i will get directory structure
  when i click the secured JSF page inside secure
  i got this URL
  http://localhost/secure/WorkingZone.jsp
  obiviously /faces is missing
  and i am getting faces context not found.
  If u need further clarification i will send u..
  Plz reply me...

• SP4 and Form Based Authentication

  Hi,
  I had just advised a customer to apply SP4 to WLS and
  then plug in the 'source code' patch, he replied that he had
  been informed that SP4 breaks Form Based Authentication for
  war web apps?
  Can anyone confirm/deny this for me please ?
  regards,
       Patrick.

  Hehe Hiya Patrick!, that was Me! seems we use the same hot source of info :)
  Cheers
  Rob :)
  "Patrick Byrne" <[email protected]> wrote in message
  news:[email protected]..
  Hi,
  I had just advised a customer to apply SP4 to WLS and
  then plug in the 'source code' patch, he replied that he had
  been informed that SP4 breaks Form Based Authentication for
  war web apps?
  Can anyone confirm/deny this for me please ?
  regards,
  Patrick.

• Form Based Authentication in SharePoint 2013: Getting The remote server returned an error: (500) Internal Server Error

  Hi
   I configured forms based authentication mode in Sharepoint 2013 site. When i tried to log in with windows authentication prompt it throws the following error
  The remote server returned an error: (500) Internal Server Error
  [WebException: The remote server returned an error: (500) Internal Server Error.] System.Net.HttpWebRequest.GetResponse() +8548300 System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +111 [ProtocolException:
  The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first
  1024 bytes of the response were: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  How to fix this issue?
  Regards,
  Siva

  Did you create a new web application or modify an existing web application?
  I would start by checking the ULS logs, maybe there is an incorrect setting within one of the web.config files, or SQL permissions.
  Also, as suggested above, check application pools are running.
  This blog post is a great guide for setting up FBA, check it through to make sure you haven't missed any steps:
  http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

• Big problem :anything is accepted by form-based authentication on Jboss

  Hi there
  I'm new to form-based authentication. I've been stuck on this problem for one and a half day. I set up the form-based authentication(with JDBC realm) on JBoss 3.2/Tomcat 5.0. When I visit the protected area, it did ask me for password. But it accepts whatever I input and forwards the desired page, even when I input nothing and just click on submit, it allows me to go through. No error message at all. I am in desperate need for help.
  Here is my configuration. The web.xml is like this
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <display-name>LoginTest</display-name>
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>DELETE</http-method>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>manager</role-name>
  </auth-constraint>
  <user-data-constraint><transport-guarantee>NONE</transport-guarantee></user-data-constraint>
  </security-constraint>
  <!-- Default login configuration uses form-based authentication -->
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description>Manager security role</description>
  <role-name>manager</role-name>
  </security-role>
  </web-app>
  I also add the following JDBC realm definition into the server.xml which is under jboss/server/default/deploy/jbossweb-tomcat50.sar
  <Realm
  className="org.apache.catalina.realm.JDBCRealm" debug="1"
  driverName="org.gjt.mm.mysql.Driver"
  connectionURL="jdbc:mysql://myipdadress:3306/field_bak"
  connectionName="plankton"
  connectionPassword="plankton"
  userTable="users"
  userNameCol="user_name"
  userCredCol="user_pass"
  userRoleTable="user_roles"
  roleNameCol="role_name"
  />
  The JDBC realm is enclosed by the <engine> element. I checked the server log file, when the jboss server is started, it does load the mysql driver correctly and connect to mysql database fine. If I changed the IP of the mysql server to a non-existing one, then when I start jboss server, the server boot process will complain about connection to mysql faiure.
  I guess maybe the server doesn't do the authentication by connecting to mysql and verify it when I submit the log in form. It seems the JDBC realm authentication is bypassed. I notice that even I get rid of the JDBC realm definition from the server.xml file, and test the web application. It behaves exactly the same way. It asks me for password but anything will go through even nothing.
  Can anybody help me about this? I'm really stuck on this.
  Thanks a lot!

  By the way, I did create database"field_bak" and the tables for the JDBC realm verification.
  I also created the users and the roles.
  But it seems like Tomcat container doesn't do the JDBC realm authentication.

• FORM based Authentication issue on Sun ONE AS7

  I am trying to use FORM based authentication for a web module I created, and can not get it to work. I have registered the roles through the admin console of the server, and adjusted the web.xml. When I try to use BASIC authentication, I get a 'Authentication refused for []' message before I even log in, and another one after I do. When I use FORM authentication, the URL points to my login.jsp page (no matter what I put in the path, which is what is supposed to happen), however my default servlet (hello.java) is actually run, and the login.jsp page never comes up. I created my jsps and servlet in the mounted [ejb]_WebModule. Please let me know if something seems incorrect here, or if you can think of something I should check...I can't find anything out there to help me.
  Here is my web.xml:
  <web-app>
  <display-name>DiningGuideManager_TestApp</display-name>
  <servlet>
  <servlet-name>front</servlet-name>
  <servlet-class>data.DiningGuideManager_WebModule.hello</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>myPage</servlet-name>
  <jsp-file>/myPage.jsp</jsp-file>
  </servlet>
  <servlet-mapping>
  <servlet-name>front</servlet-name>
  <url-pattern>/*</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>30</session-timeout>
  </session-config>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Security</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>Me</role-name>
  <role-name>EveryoneElse</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  <security-role>
  <role-name>Me</role-name>
  </security-role>
  <security-role>
  <role-name>EveryoneElse</role-name>
  </security-role>
  <ejb-ref>
  <ejb-ref-name>ejb/TestedEJB</ejb-ref-name>
  <ejb-ref-type>Session</ejb-ref-type>
  <home>data.DiningGuideManagerHome</home>
  <remote>data.DiningGuideManager</remote>
  <ejb-link>DiningGuideManager</ejb-link>
  </ejb-ref>
  </web-app>
  for FORM authentication I have this:
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>default</realm-name>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  Thanks,
  Michelle

  Yes there's a default generated index.jsp page that I'm having trouble overriding with one of my own. Have you used Form Based Authentication before? To do so you have edit the WEB-INF/web.xml file by adding:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Secure Area</web-resource-name>
  <url-pattern>/test/secure/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>admin</role-name>
  </auth-constraint>      
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/test/secure/loginpage.jsp</form-login-page>
  <form-error-page>/test/secure/errorpage.jsp</form-error-page>
  </form-login-config>
  </login-config>
  When you attempt to first go to any page in my /test/secure/ directory you get redirected to the /test/secure/loginpage.jsp where you have to login as a tomcat user, when succesfully logged on you get redirected to an index.jsp page which is NOT the one I created in test/secure/index.jsp. Even when I type in the url to go to my own test/secure/index.jsp I still don't get my own one that exists there, but instead get the default one that's generated that displays:
  "Authentication Mechanism FORM".
  Hope that makes more sense.
  I've tried restarting tomcat but it makes no difference.