Form Base Login
Dear programmers
I tries to use form base login and unfortuanetly nothing happen.
I have written this little form:
<form method="post" action="j_security_check">
<table width="80%">
<tr>
<td width="20%" align="right">
UserId:
</td>
<td>
<input size="20" type="text" name="j_username" maxlength="25">
</td>
</tr>
<tr>
<td align="right">
Password:
</td>
<td>
<input size="20" type="password" name="j_password" maxlength="25">
</td>
</tr>
<tr>
<td></td>
<td>
<input type="submit" name="action" value="Login"> �
<input type="reset" name="reset" value="Clear">
</td>
</table>
</form>and configured the web.xml this way:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/error.jsp</form-error-page>
</form-login-config>
</login-config>I did everything like in the example of http://www.redbooks.ibm.com/abstracts/tips0220.html?Open
I expected that when I'll try to navigate a page in my application, I'll be automatically redireced to the login page. Unfortuanetly it didn't happen.
Did I do something wrong?
Should I do something on the server? (I use websphere 5.1.2).
Hi adslyl, thanks for the reply.
I have defined the following security-constrain:
<security-constraint>
<web-resource-collection>
<web-resource-name>(New Web Resource Collection)</web-resource-name>
<description></description>
<url-pattern>/faces/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>But it seems that it doesn't help. If I understand it correctly every reference to doGet() or doPost() should perform this security mechanism. Am I right?
Similar Messages
-
5.1 sp9 and Form Base login
Hi,
We've just upgraded to 5.1 sp9 from sp8 and the form base login seem to have died.
We are using LDAPRealm to authenticate and ServletAuthentication class for the
form login.
This is the error we get
java.lang.SecurityException: Authentication for user adminuser denied in realm
wl_realm
at weblogic.rmi.extensions.AbstractRequest.sendReceive(AbstractRequest.java:76)
at weblogic.jndi.toolkit.BasicWLContext_WLStub.lookup(BasicWLContext_WLStub.java:246)
at weblogic.jndi.toolkit.WLContextStub.lookup(WLContextStub.java:545)
at javax.naming.InitialContext.lookup(InitialContext.java:350)
at com.citec.payserv.AdminStart.setEJBHomeInterface(AdminStart.java:213)
at com.citec.payserv.AdminStart.doGet(AdminStart.java:412)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:865)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:120)
at weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImpl.java:915)
at weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImpl.java:879)
at weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletContextManager.java:269)
at weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:365)
at weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:253)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:129)
Seems strange that it is referencing wl_realm and not LDAPRealm. It was working
on sp8, is anybody aware of anything like this?seems like a regression in SP9.
I have filed a bug report. In case if you contact support refer CR046236
Kumar
Peter Buus wrote:
I have just downloaded SP9 and now my defaultFileName does'nt work any more.
I used to have the following entry
weblogic.httpd.initArgs.file=defaultFilename=/menu/start.htm
Prior to SP9 a request to http://myserver would yield
http://myserver/menu/start.htm
Now WL 5.1 presents a directory browsing of the root. It works if
http://myserver/menu is requested.
However, I have a lot of users using http://myserver - is there any way to
include a directory in a defaultfilename?
Thanks/Peter -
Security - Password Expiration with Form Base Authentication
Hi everbody,
I have configured the security of my application and this works
fine.
I configured the roles and match roles with groups defined in my
LDAP
I used the form base authentication. Perfect, but now I configure in
LDAP
that the user password can be expired, and the user can change password.
My problem is when the user try to log at my application and the
password was expired, I need to allow that user change the password
( showing another pag, and ask about the new password).
Nowadays when the user try to log and the password was expired the
page that I have set for my login error page (form base authentication)
is call, this page is call if the user is invalid or the password is
invalid too.
I have try to get the exception at this page using :
String codeObj =
req.getAttribute("javax.servlet.error.status_code");
String messageObj =
req.getAttribute("javax.servlet.error.message");
String typeObj =
req.getAttribute("javax.servlet.error.exception_type");
But all of this String are null. It's independent if the user is
invalid or the password or either if the password was expired.
I always get this null Strings. But if the person isn't authorized I
call another pag and at this time I can get the code, message
and the exception type
So my question is how can I treat this ? how can I get this kind of
exception ?
I also make a java application that only try to connect with Ldap,
and if the password is expired
I can get the com.netscape.LDAPExpection with code 45 and message
Invalid Credential.
Is it impossible to get this exception in my actual solution ? I
need to make one component for that ?
Someone can help me ?
Any tip will be good !!
Thanks
Daniela Pistelli Gomes
Technical Consultant
Summa Technologies
http://www.summa-tech.comHi Robert,
thanks very much for ur pointers on the AuthFilter class.. will try that out.
Robert Greig <[email protected]> wrote:
Stephen wrote:
I am using WLS 6.1 and tried using a custom filter to intercept theauthentication
request submitted from a FORM BASE jsp (using the j_security_checkform).
However, no matter what i've tried, it is always the authenticationpart that
gets executed before the filter.
Any idea how could I intercept the request before the j_security_checkservlet
calls the security provider for authentication?There is a (now deprecated) class weblogic.servlet.security.AuthFilter.
I haven't used it because it is deprecated but I think it does what
you're after.
In my apps, I make the FORM auth submit to my own servlet which can then
do what j_security_check does (most although not all is accessible
through public APIs).
Robert -
Protected url, form base
i need access to a html protected page
for base authentication it's simple, i use a class like this :
public class MyAuthenticator extends Authenticator {
String username = "";
String password = "";
public PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(username, password.toCharArray());
and I install the authenticator in the servlet
MyAuthenticator ma = new MyAuthenticator();
Authenticator.setDefault(ma);
my problem is to access form based protected resources, and i really don't know how ro do it.
Any idea?mybe i have a solution, but i don't know if this is a good code.
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// log in ----------------------------------------------------------------
String data = URLEncoder.encode("userid", "UTF-8") + "=" + URLEncoder.encode("mamma", "UTF-8");
data += "&" + URLEncoder.encode("password", "UTF-8") + "=" + URLEncoder.encode("aaa", "UTF-8");
//login
URL url = new URL("http://localhost:8087/Mamma/j_security_check");
URLConnection conn = url.openConnection();
conn.setDoOutput(true);
OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
wr.write(data);
wr.flush();
String key = "";
String id = "";
// Get session cookie ----------------------------------------------------------------
if (conn != null)
for (int i = 1;(key = conn.getHeaderFieldKey(i)) != null; i++)
if (key.equalsIgnoreCase("set-cookie"))
id = conn.getHeaderField(key);
id = id.substring(0, id.indexOf(";"));
} //if
} //for
} //if
String jSessionId = id;
// Get the response ----------------------------------------------------------------
BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line;
while ((line = rd.readLine()) != null) {
System.out.println(line);
wr.close();
rd.close();
// access form base protected resource ---------------------------------------------------
URL url2 = new URL("http://localhost:8087/Mamma/situazione");
URLConnection conn2 = url2.openConnection();
conn2.setDoOutput(true);
//System.out.println("jSessionId:"+jSessionId);
conn2.setRequestProperty("Cookie", jSessionId);
BufferedReader rd2 = new BufferedReader(new InputStreamReader(conn2.getInputStream()));
String line2;
while ((line2 = rd2.readLine()) != null) {
System.out.println(line2);
//wr2.close();
rd2.close();
} -
Form based login, iframes and session time out
Hi all,
I'm trying to create a site using form based login.
The site contains a page protected page, default.jsp that have a logout button/link (clicking it invalidates the session), and a navigation bar with links linking opening them in iframes inside the default.jsp page:
I have also a login.jsp page and and a error.jsp page
Everything works fine I can login, I can logout. My problem occurs when the session times out and the user tries to access protected contents in the internal frames. He then is promted for a new login. The problem is that the login,jsp page now turns up inside the jframe designatet for my contents.
I woud have liked the login page to turn up at the top level i.e. filling the entire browser window (i.e on the same level as the default.jsp page). Is this somehow possible?
Regards
Uno EngborgEasy answer: use JS to jump out iframe.
Best answer: don't use iframes, but use server side includes like jsp:include. Iframes have too much disadvangages, topping the extremely bad SEO and UX. -
Help: FORMS Oracle login screen
Hi,
I am working on an Oracle FORMS application. When this pass to the user, we do not want to know or to type which Oracle DB they are logging in, but the user name and password.
Question: Is there are way to modify the FORMS default login screen to achieve the above task and allow me to modify the appearance to make it the way users want?
Any suggestions are greatly appreciated.
Thanks.
JimmyYou can write your own "logon"-fmb. start if giving a "dummy-connection", retrieve the SID using GET_APPLICATION_PROPERTY(CONNECT_STRING) and offers the fields for username and password (and of course, the logon-button). When user clicks on Login, do a LOGOUT and LOGON again using the enterd values and the formerly retrievred SID.
-
How to get username from Form-based login
I am using form-based login in my web.xml file.
When I attempt to access a protected .jsp page, I get sent to my login page as expected.
When I enter my username/password successfully it forwards me to the .jsp page I was trying to go to, as expected.
From that .jsp page, how do I get the username/password info from the login form? I looked at the session attributes, request attributes, and request parameters, but I don't see anything. Does the form-based authentication remove these variables?
I need the username that is filled out in the login form, so that I can do custom work with it. I cannot ask the user for it again after they login, as that is inefficient and sloppy.Found it.
request.getUserPrincipal().getName() -
How to call System Form base on User Form
I want to reuse System Form that "list of items" on service call,
Show the "list of items" Form base on my own Form,
How to do?
thanks
TonyHi Tony,
Have you looked at the ChooseFromList object? This is available in the UI API and allows you to easily create the 'lists' windows for all the main objects, including items. There is an example of using the ChooseFromList in the samples in the SDK.
Kind Regards,
Owen -
Tomcat problem with form based login
Hi,
I have a page for form-based login, but the problem is that the image and css files dont load on the login page request. What I gather from other discussions is that this is because these are still protected when the page is requested. How do I exclude them from being protected.
NiravHi tolmank,
Earlier I just filtered out the login page and images based on the extension, but now I am trying the second approach i.e. making a protected directory, but my application does not start. When i start it from the tomcat manager, it gives me this error,
FAIL - Application at context path /<app dir> could not be started
<web-resource-collection>
<web-resource-name><app dir></web-resource-name>
<url-pattern>/protected/*.jsp</url-pattern>
</web-resource-collection>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>Login.jsp</form-login-page>
<form-error-page>Error.jsp</form-error-page>
</form-login-config>
</login-config>
what could be wrong? -
Does Form Base Project budgeting support Budget Forecasting?
Hello Expert,
Can you please help me in understanding that does form base budgets in project costing support budget forecasting? if no then is that it can be achive only through Project Management?
Your help will be appreciated.
Thanks
UdayHi
If you use the Forms for budgeting you can setup various budget types, like approved cost budget, proposal cost plan, funded revenue budget, forecast cost, etc...
For each one of those types you have the same functionality, and budget entry is just keying in the quantities and amounts on the budget form. You could automate the calculation of burdened cost based on the entry of raw cost amount, or that based on quantity. Such automation is done using the budget client extension, and that extension is called immediately as you key in the line value.
With Oracle Project Management (PJT) a new entity was introduced called Financial Plans. A financial plan type is an enhancement of a budget type. The entry of financial plan is done on HTML pages. You could set up financial plans for Firm annual budget, for forecast, for funded revenue etc. With PJT Oracle also delivered a concurrent program called Forecast. That program can generate the plan amounts and insert them on the financial plan defined as parameter. Such calculation functionality is not supported on the Form based budgets.
Dina -
FORM based login form-error-page
Hi,
I have activated FORM based login for EM (oracle 9iAS on Solaris). So, in web.xml for EMD, I have
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/error/oc4j_error.html</form-error-page>
</form-login-config>
</login-config>
When I login as ias_admin, everything seems fine. However, when I login as any other user (not in ias_admin role), the browser redirects to /emd/console/ias/applicationServer...
Why is the container not redirecting to /emd/error/oc4j_error.html ?
Any input will be truly appreciated. Hopefully I am doing something wrong.
Thanks,
KrishnenduHi Frank,
Thanks for your reply. If I have a error page in the FORM login, then the container (according to j2ee specs) should redirect to /emd/oc4j_error.html if I authenticate as a user without administrator privileges.
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/oc4j_error.html</form-error-page>
</form-login-config>
</login-config>
For all other containers (WAS, WebLogic and Sun Application server, Tomcat), it seems to work fine.
Thanks,
Krishnendu -
Hi,
We have the problem that we get an basic login box when we try to access documents in the KM. (e.g with a link in an eMail)
Is it possible to switch from basic login to form based login for the KM?
If this is possible, how?
Best regards,
ManuelGood question! On a training server, using /irj/go/km/docs/documents/Public%20Documents/Laptops/Development/Test%20Reports/Performance%20EVO%20N610c%20in%20Network.doc gives the Windows authentication, but http://twdf0399.wdf.sap.corp:50000/irj/go/km/navigation/documents/Public%20Documents/Laptops/Development/Test%20Reports/Performance%20EVO%20N610c%20in%20Network.doc (changing docs to navigation in the URL) gives the form based...
-
SSL and login form for form based login over ldap
Hello,
i have configured an apache reverse proxy with virtual named host and the the webgate is also running on this server.
On a second server i have configured a webserver with the login form.
Access to the protected ressources is working when i use the following parameters in my Authentication schema
form:/form/login.html
action:/dummy
creds:userid password
ssoCookie:httponly
passthrough:no
SSL Required No
Challenge Redirect http://dummyserver.dummy.org
Changing the SSL required to yes and the url to https has the following result.
After filling out the login form and pressing the submit button "the requested URL /dummy was not found on this server"
Any hints are welcome.
Kind regardsHi Colin,
Yes the dummy url is protected. Otherwise it should not work when using http.
I assume that i am not redirected back to the origin source. The obSSOCookie should do this in some way, when i remember that correctly.
I can see that the obSSOCokkies are created for both urls but the content is "loggedoutcontinue". Thats the difference to the http communication.
Is there anything else to configure when using SSL with a form based login. Have i missed some basics?
In the documentation it looks really simple - just trning it on - looking for access - and everything works :-)
KR -
How to configure a form based login page with entitlement role
We need to have login page to our portal app.
When using "form based" authentication is it possible to map the security on a
"entitlement role" ?
Our need is to be abled to give direct url acces to some pages of the portal (for
exemple by sending urls like "http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_pageLabel=mypage")"
by email to portal users) and need a simple mecanism of authentication before
redirecting to the portal page.
InsteOlivier,
You can't reference WLP visitor roles in weblogic.xml, but you can
reference global roles (created using the WLS console):
- <security-role-assignment>
<role-name>PortalSystemAdministrator</role-name>
<externally-defined />
</security-role-assignment>
-Phil
"Olivier" <[email protected]> wrote in message
news:[email protected]..
>
We need to have login page to our portal app.
When using "form based" authentication is it possible to map the securityon a
"entitlement role" ?
Our need is to be abled to give direct url acces to some pages of theportal (for
exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
Label=mypage")"
by email to portal users) and need a simple mecanism of authenticationbefore
redirecting to the portal page.
Inste -
Tomact examples and form base authentication
I am looking at the tomcat examples web.xml security constrains and login info settings:
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/security/protected/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
As we can see form-login page and form-error page uri match url-pattern settings.
url-pattern: /jsp/security/protected/*
form-login page: /jsp/security/protected/login.jsp
form-error page: /jsp/security/protected/error.jsp
There is no binding of unauthenticated user to ether one of specified roles
Question: What place in the servlet spec allows serving secured resource for a user without appropriate role association?Kinda then beat the the whole idea of authentication then, if you allow a user in that is not assigned to a security role? Anyway, I think you are looking to send the user to another page if they are not in a role but have an id, correct? Well, first it has to be a page outside the secure directory/ies. The error it generates is a 403. So add to your web.xml:
<error-page>
<error-code>403</error-code>
<location>/403.jsp</location>
</error-page>Anytime a user who is not a member of the allowed roles attempts a login, they will be redirected to this page.
Ross
Maybe you are looking for
-
Can't recover iMac from Time Machine backup
Hi there I need your help! My photos, music, videos, and other data is gone.. Especially the photos i would like to have back, they were stored in my Aperture library (about 13.000 pictures). For a few days ago my iMac (with Mountain Lion) wouldn't s
-
Calendar in List view different from Day and Month view
When I look at my Calendar in 'List' view all of the Birthdays and Events are in the wrong date but in 'Day' and 'Month' view they are correct. Has anybody found a fix for this yet? I have looked at similar discussions but they are all a couple of
-
Downloaded iTunes 11 and now none of my song files can be "located"- suggestions?
I just updated my iTunes to the newest version; my entire library shows up, however, when I click on any of the songs, a message appears that says that the original file cannot be found. I've searched through all my folders and can't find any trace o
-
Exporting a movie in QT Pro truncates film
I have a 2 minute QT film that is 264/16 bit 48k audio. I want to export it as a 264/Apple lossless audio to get the file size down. When I export it, the audio plays all 2 minutes fine, but the video only goes for 15 seconds and then freezes the res
-
IDOC TO JDBC , mappinng source segment to target segment
Hi Experts, I need your guidance on the following scenario IDOC to JDBC (DB2) Source side has one header and multiple line items to be map to DB2 tables (one for header and one for line item) I have searched through web and forum for some step by s