Form based authentication problem - security constraint in web.xml

Similar Messages

• Form based authentication problem

  Hi people, im new here. Im working on a small application and i have decided to work with Form Based authentication. Theres a index page in the root that redirect to welcome page but when i try to Run the first page im getting this exception.
  javax.servlet.jsp.JspException: Cannot find FacesContext at javax.faces.webapp.UIComponentTag.doStartTag(UIComponentTag.java:427) at com.sun.faces.taglib.jsf_core.ViewTag.doStartTag(ViewTag.java:125) at infrastructure.login._jspService(_login.java:53)
  I have been searching for a while in the web but i couldnt find anything that fix the problem. Can anybody give me a hand with this? The version of Jdeveloper is 10.1.3.2. Here are the web.xml file and index.jsp
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee">
  <description>Empty web.xml file for Web Application</description>
  <context-param>
  <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
  <param-value>client</param-value>
  </context-param>
  <context-param>
  <param-name>CpxFileName</param-name>
  <param-value>userinterface.DataBindings</param-value>
  </context-param>
  <filter>
  <filter-name>adfFaces</filter-name>
  <filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
  </filter>
  <filter>
  <filter-name>adfBindings</filter-name>
  <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>adfFaces</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
  <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
  <servlet-name>resources</servlet-name>
  <servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>resources</servlet-name>
  <url-pattern>/adf/*</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>35</session-timeout>
  </session-config>
  <mime-mapping>
  <extension>html</extension>
  <mime-type>text/html</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>txt</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <welcome-file-list>
  <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>
  <jsp-config/>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>todoLider</web-resource-name>
  <url-pattern>/faces/app/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>lider</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>infrastructure/login.jsp</form-login-page>
  <form-error-page>infrastructure/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>lider</role-name>
  </security-role>
  <security-role>
  <role-name>auxiliar</role-name>
  </security-role>
  <security-role>
  <role-name>docente</role-name>
  </security-role>
  <security-role>
  <role-name>veedor</role-name>
  </security-role>
  <security-role>
  <role-name>estudiante</role-name>
  </security-role>
  <ejb-local-ref>
  <ejb-ref-name>ejb/local/AsigFacade</ejb-ref-name>
  <ejb-ref-type>Session</ejb-ref-type>
  <local>datamodel.model.AsigFacadeLocal</local>
  <ejb-link>AsigFacade</ejb-link>
  </ejb-local-ref>
  </web-app>
  index.jsp
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  "http://www.w3.org/TR/html4/loose.dtd">
  <%@ page contentType="text/html;charset=windows-1252"%>
  <html>
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"/>
  <title>index</title>
  </head>
  <body><%response.sendRedirect("faces/app/welcome.jsp");%></body>
  </html>

  Servlet mapping for the Faces Servlet is
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  Is the input.jsp run by specifying the url in the browser?
  Run input.jsp with right-click>Run
  The url should include /faces/

• Form-based authentication problem with weblogic

  Hi Everyone,
  The following problem related to form-based authentication
  was posted one week ago and no reponse. Can someone give it
  a shot? One more thing is added here. When I try it on J2EE
  server and do the same thing, I didn't encounter this error
  message, and I am redirected to the homeage.
  Thanks.
  -John
  I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
  When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
  "Form based authentication failed. Could not find session."
  When I check the LOG file, it gives me the following message,
  "Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
  Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
  weblogic.httpd.session.enable=true

  Hi...
  Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
  I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
  cheers...
  Jerson
  "John Wang" <[email protected]> wrote:
  >
  Hi Jerson,
  I tried your code this weekend, it didn't work in my case. But
  I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
  But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
  In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
  Thanks.
  -John
  "Jerson Chua" <[email protected]> wrote:
  I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
  Jerson
  package com.cyberj.catalyst.web;
  import weblogic.servlet.security.*;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  public class Authenticate extends HttpServlet {
  private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
  public void doPost(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, java.io.IOException {
  int authenticated = sa.weak(request, response);
  if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
  authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
  response.sendRedirect("fail_login.jsp");
  } else {
  response.sendRedirect("Home.jsp");
  public void doGet(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, java.io.IOException {
  doPost(request, response);
  "Jerson Chua" <[email protected]> wrote:
  The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
  Has anyone solved this problem? I've tried the example itself and the same problem occurs.
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  Jerson,
  First try it redirected (raw) to see if that indeed is the problem ... then
  if it works you can "fix" it the way you want.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "Jerson Chua" <[email protected]> wrote in message
  news:[email protected]...
  Hi...
  Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
  another indirection where I will redirect it to another servlet but the
  password is encrypted.
  What do you think?
  thanks....
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  Maybe redirect to the current URL after killing the session to let the
  request clean itself up. I don't think that a lot of the request (such
  as
  remote user) will be affected by killing the session until the nextrequest
  comes in.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "Jerson Chua" <[email protected]> wrote in message
  news:[email protected]...
  Hello guys...
  I've a solution but it doesn't work yet so I need your help. Because
  one
  of the reason for getting form base authentication failed is if an
  authenticated user tries to login again. For example, the one mentionedby
  John using the back button to go to the login page and when the user logsin
  again, this error occurs.
  So here's my solution
  Instead of submitting the page to j_security_check, submit it to a
  servlet
  which will check if the user is logged in or not. If yes, invalidates its
  session and forward it to j_security_check. But there's a problem in this
  solution, eventhough the session.invalidate() (which actually logs theuser
  out) is executed before forwarded to j_security_check, the user doesn't
  immediately logged out. How did I know this, because after calling
  session.invalidate, i tried calling request.RemoteUser() and it doesn't
  return null. So I'm still getting the error. What I want to ask you guyis
  how do I force logout before the j_security_check is called.
  here's the code I did which the login.jsp actually submits to
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  public class Authenticate extends HttpServlet {
  public void doPost(HttpServletRequest request, HttpServletResponseresponse)
  throws ServletException, java.io.IOException {
  if (request.getRemoteUser() != null) {
  HttpSession session = request.getSession(false);
  System.out.println(session.isNew());
  session.invalidate();
  Cookie[] cookies = request.getCookies();
  for (int i = 0; i < cookies.length; i++) {
  cookies.setMaxAge(0);
  getServletContext().getRequestDispatcher("/j_security_check").forward(reques
  t, response);
  public void doGet(HttpServletRequest request, HttpServletResponseresponse)
  throws ServletException, java.io.IOException {
  doPost(request, response);
  let's help each other to solve this problem. thanks.
  Jerson
  "Jerson Chua" <[email protected]> wrote:
  I thought that this problem will be solved on sp6 but to my
  disappointment, the problem is still there. I'm also using RDBMSRealm,same
  as John.
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  John,
  1. You are using a single WL instance (i.e. not clustered) on that
  NT
  box
  and doing so without a proxy (e.g. specifying http://localhost:7001),
  correct?
  2. BEA will pay more attention to the problem if you upgrade to SP6.If
  you don't have a reason NOT to (e.g. a particular regression), then
  you
  should upgrade. That will save you one go-around with support: "Hi,I
  am
  on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
  it.
  Call back if that doesn't work."
  3. Make sure that you are not doing anything special before or after
  J_SECURITY_CHECK ... make sure that you have everything configuredand
  done
  by the book.
  4. Email BEA a bug report at [email protected] ... see what they say.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "John Wang" <[email protected]> wrote in message
  news:[email protected]...
  Cameron,
  It seems to me that the problem I encountered is different a little
  from
  what you have, evrn though the error message is the same eventually.
  Everytime I go through, I always get that error.
  I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
  to
  work
  around this problem? If it was a BUG as you
  pointed out, is there a way we can report it to the Weblogic
  technical support and let them take a look?
  Thnaks.
  -John
  "Cameron Purdy" <[email protected]> wrote:
  John,
  I will verify that I have seen this error now (after having read
  about it
  here for a few months) and it had the following characteristics:
  1) It was intermittent, and appeared to be self-curing
  2) It was not predictable, only seemed to occur at the first
  login
  attempt,
  and may have been timing related
  3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
  proxy
  was
  Apache (Stronghold)
  4) After researching the newsgroups, it appears that this "bug"
  may
  have gone away temporarily (?) in SP5 (although Jerson Chua
  <[email protected]> mentioned that he still got it in SP5)
  I was able to reproduce it most often by deleting the tmpwar and
  tmp_deployments directories while the cluster was not running,
  then
  restarting the cluster. The first login attempt would fail(roughly
  90%
  of
  the time?) and that server instance would then be ignored by the
  proxy
  for a
  while (60 seconds?) -- meaning that the proxy would send all
  traffic,
  regardless of the number of "clients", to the other server in thecluster.
  As far as I can tell, it is a bug in WebLogic, and probably has
  been
  there
  for quite a while.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "John Wang" <[email protected]> wrote in message
  news:[email protected]...
  Hi Everyone,
  The following problem related to form-based authentication
  was posted one week ago and no reponse. Can someone give it
  a shot? One more thing is added here. When I try it on J2EE
  server and do the same thing, I didn't encounter this error
  message, and I am redirected to the homeage.
  Thanks.
  -John
  I am using weblogic5.1 and RDBMSRealm as the security realm. I
  am
  having
  the following problem with the form-based authentication login
  mechanism.
  Does anyone have an idea what the problem is and how to solve it?
  When I login my application and logout as normal procedure, it
  is
  OK.
  But
  if I login and use the browser's BACK button to back the login
  page
  and
  try
  to login as a new user, I got the following error message,
  "Form based authentication failed. Could not find session."
  When I check the LOG file, it gives me the following message,
  "Form based authentication failed. One of the following reasons
  could
  cause it: HTTP sessions are disabled. An old session ID was stored
  in
  the
  browser."
  Normally, if you login and want to relogin without logout first,
  it
  supposes to direct you to the existing user session. But I don'tunderstand
  why it gave me this error. I also checked my property file, it
  appears
  that
  the HTTP sessions are enabled as follows,
  weblogic.httpd.session.enable=true

• Form based authentication problem....help!!!!

  hey guys, <br>
  i'm trying to use form based authentication method to secure my web pages.
  This is the sample structure of the login page :
  <form action="j_security_check" method="post">
  <FONT SIZE="3" FACE="VERDANA">Company ��� </FONT>
  <INPUT TYPE=TEXT NAME="Company" SIZE="20">
  <BR><BR><BR>
  <FONT SIZE="3" FACE="VERDANA">UserName ��</FONT>
  <INPUT TYPE=TEXT NAME="j_username" SIZE="20">
  <BR><BR><BR>
  <FONT SIZE="3" FACE="VERDANA">Password �� </FONT>
  <INPUT TYPE=PASSWORD NAME="j_password" SIZE="20">
  <BR>
  <FONT SIZE="3" FACE="VERDANA">
  <INPUT TYPE=SUBMIT VALUE="Log In"> </FONT>
  </form>
  This is what the "loginerror.jsp" page looks like :
  <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
  <html>
  <head>
  <title>
  Login Error
  </title>
  </head>
  <body>
  <c:url var="url" value="http://localhost:8080/sbs/sbs"/>
  <h2>Invalid user name or password.<h2>
  <p>Please enter a username or password that is authorized to access this application. Click here to try again</h2>
  </body>
  </html>
  This is what the sample response.jsp page looks like. This page should be displayed once the user logs in with correct username & password :
  <html>
  <head>
  <title>ResponsePage</title>
  </head>
  <body>
  <center>
  <h2>
  Testing response Page
  </h2>
  </center>
  </body>
  </html>
  Please note: I'm using j2ee1.4 sdk and DEPLOY TOOL to set all the security requirements. I think i did almost everything right but i don't understand the error that is being displayed. I t looks something like this :
  HTTP Status 400 - Invalid direct reference to form login page
  type Status report
  message Invalid direct reference to form login page
  description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
  Sun-Java-System/Application-Server

  hey guys, <br>
  i'm trying to use form based authentication method to secure my web pages.
  This is the sample structure of the login page :
  <form action="j_security_check" method="post">
  <FONT SIZE="3" FACE="VERDANA">Company ��� </FONT>
  <INPUT TYPE=TEXT NAME="Company" SIZE="20">
  <BR><BR><BR>
  <FONT SIZE="3" FACE="VERDANA">UserName ��</FONT>
  <INPUT TYPE=TEXT NAME="j_username" SIZE="20">
  <BR><BR><BR>
  <FONT SIZE="3" FACE="VERDANA">Password �� </FONT>
  <INPUT TYPE=PASSWORD NAME="j_password" SIZE="20">
  <BR>
  <FONT SIZE="3" FACE="VERDANA">
  <INPUT TYPE=SUBMIT VALUE="Log In"> </FONT>
  </form>
  This is what the "loginerror.jsp" page looks like :
  <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
  <html>
  <head>
  <title>
  Login Error
  </title>
  </head>
  <body>
  <c:url var="url" value="http://localhost:8080/sbs/sbs"/>
  <h2>Invalid user name or password.<h2>
  <p>Please enter a username or password that is authorized to access this application. Click here to try again</h2>
  </body>
  </html>
  This is what the sample response.jsp page looks like. This page should be displayed once the user logs in with correct username & password :
  <html>
  <head>
  <title>ResponsePage</title>
  </head>
  <body>
  <center>
  <h2>
  Testing response Page
  </h2>
  </center>
  </body>
  </html>
  Please note: I'm using j2ee1.4 sdk and DEPLOY TOOL to set all the security requirements. I think i did almost everything right but i don't understand the error that is being displayed. I t looks something like this :
  HTTP Status 400 - Invalid direct reference to form login page
  type Status report
  message Invalid direct reference to form login page
  description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
  Sun-Java-System/Application-Server

• Security constraint in web.xml

  Hi All
  I want to set a security contraint to verfity my system user, I know I need to put the following section into the tomcat created web.xml. But I dont know where is the web.xml on my Tomcat 4.1.24, because i found many web.xml files in different directory.
  Q1) Sorry I know this is a silly question, but can u tell me which web.xml is the one I need to edit in order to set my the security constraint?
  Q2) Instead of editing the created Tomcat web.xml, can I create my own web.xml and put it in <Tomcat_Homw>/webapps/ROOT/WEB-INF. This is just only for the security constraint towards my system.
  Many many thanks
  Kelvin
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Administration</web-resource-name>
  <url-pattern>/admin</url-pattern>
  <url-pattern>/users</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>administrator</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login</form-login-page>
  <form-error-page>/login-error</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>administrator</role-name>
  </security-role>

  you need to do it for every web-app... thats why there is one web.xml file for each! There is a thing in CATALINA_HOME/conf/server.xml that u can uncomment to enable 'single-logon' which means u cna log on once and be authenticated for every web-app...
  root isn't a web-app i don't think... so therefore u can't restrict access to it (someone correct me if wrong)... I don't know what u mean by restricting access to your 'system'

• Security constraint in Web.xml of tomcat

  Hi
  I have a web-application running on tomcat . Inside the context folder i have several directories having some pre-defined configuration files . But the user is able to directly access them by typing the path including the fileName in the URL ( I have disabled the listings property however)
  How can i prevent accessing the specific files .... I tried using
  <security-constraint>
  <display-name>Security constarint</display-name>
  <web-resource-collection>
  <web-resource-name>Java Application</web-resource-name>
  <url-pattern>/folder/*</url-pattern>
  <auth-constraint>
  <role-name>tomcat</role-name>
  </auth-constraint>
  </web-resource-collection>
  <auth-constraint>
  <role-name>tomcat</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>OnJava Application</realm-name>
  </login-config>
  This seems to be working fine , but when the user enters the wrong security info thrice , 401 error page is coming instead i want my custom page . Hence i configured an error page for 401 code which overwrited the earlier behavaiour ie.. that BASIC authentication popup is not coming
  Can any one let me know how to go about this

  Hi ,
  I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Declarative Security Test</web-resource-name>
  <url-pattern>/SuperServlet</url-pattern>
  <url-pattern>/*</url-pattern>
  <http-method>post</http-method>
  <http-method>get</http-method>
  </web-resource-collection>
  <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
  <auth-constraint>
  <role-name>guest</role-name>
  <role-name>member</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>guest</role-name>
  <role-name>member</role-name>
  </security-role>
  The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help.

• Using security-constraint in web.xml; not recognizing url-pattern tag

  I am creating a very simple jsp application within JDeveloper 10.1.3.1. I have 2 jsp files...a readData.jsp and a maintainData.jsp. I would like to deploy this application to Oracle Application Server 10.1.2.2. I would like to use Oracle Internet Directory with Single Sign on enabled. The deployment to OAS works fine. For the security, I would like an administrator user to get to both pages...and a user to only be able to see the readData.jsp. I used the security constraints on the properties of the web.xml file within JDeveloper. Here is my web.xml file:
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <description>Empty web.xml file for Web Application</description>
  <session-config>
  <session-timeout>35</session-timeout>
  </session-config>
  <mime-mapping>
  <extension>html</extension>
  <mime-type>text/html</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>txt</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adm_full_access</web-resource-name>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>adm_all</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>usr_access</web-resource-name>
  <url-pattern>readData.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>usr_all</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>usr_all</role-name>
  </security-role>
  <security-role>
  <role-name>adm_all</role-name>
  </security-role>
  </web-app>
  When I deploy to OAS I added an OID account to the adm_all role...this works fine I can log on as that user and get to both jsps. But, when I add my user to the usr_all role within OAS I try to log on to the app...I then enter my SSO username and password and I get Access Denied errors from my browser when trying to access either page. I am confused about the <url-pattern> tag...is that relative to a directory within my deployment? Most of the examples I have seen use servlets...so I was wondering if I can even use the <url-pattern> tag to restrict/allow access to individual jsps? If someone could point me to some documentation on this set-up I would appreciate it!
  Thank you.

  I was able to get this to work. By doing the following:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adm_full_access</web-resource-name>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>adm_all</role-name>
  </auth-constraint>
  </security-constraint>
  I was restricting access to all other groups by uisng <url-pattern>*</url-pattern>. Any other security-constraints set-up after that will not work. So saying * requires usr_all will restrict ALL webpages to ONLY adm_all, regardless of what future constraints say. So, my first security-constraints lists all directories or pages that every user can access. My next security-constraint then list resources that only my admins (adm_all) can acess. Any other security constraints then are set-up for each user role that I have...if adm_all should have access to these then the <role-name>adm_all</role-name> is added to each security constraint.

• RE: security-constraint in web.xml of sunone 6.1

  Hello again,
  Still url-pattern of security-constraint issue in web.xml of sunone 6.1 (SP5).
  I am pretty sure this pattern works fine in SunOne 6.0 and SunOne 6.1 SP2,
  <security-constraint>
  <url-pattern>/app/jws1/*.jsp</url-pattern>
  <url-pattern>/app/jws1/*.jnlp</url-pattern>
  </security-constraint>
  In SunOne 6.0 or SunOne 6.1 SP2, if I have not yet logged in and type in a url matching the above patterns in a browser, I will be asked for username and password. But in SunOne 6.1 SP5, I won't be asked for username and password.

  Unfortunately, that's not how <url-pattern> values work. They shouldn't have "worked" in 6.1 SP2. I'm pretty sure they didn't. 6.0 takes a more intuitive, but nonstandard, approach to <url-pattern> wildcards. That nonstandard behaviour was corrected in 6.1.
  The Java Servlet Specification 2.3 -- see http://www.jcp.org/aboutJava/communityprocess/final/jsr053/ -- defines the contents of the <url-pattern> as follows:
  � A string beginning with a �/� character and ending with a �/*� postfix is used for path mapping.
  � A string beginning with a �*.� prefix is used as an extension mapping.
  � A string containing only the �/� character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
  � All other strings are used for exact matches only.
  That means that /app/jws1/* will do what you might expect, as will *.jsp, but /app/jws1/*.jsp will only match the exact URI /app/jws1/*.jsp. /app/jws1/*.jsp will not match a URI such as /app/jws1/filename.jsp.
  If you can't construct appropriate authorization rules using <url-pattern>, you may wish to a) restructure your web app or b) use Web Server ACLs.

• Query string in security constraint in web.xml

  Hi All
  I want to portect following URL in securit-constraint tag of web.xml
  /appmanager/website/portal?_nfpb=true&_pageLabel=myaccount
  but when i write :
  <security-constraint>
  <display-name>FormProtectedPages</display-name>
  <web-resource-collection>
  <web-resource-name>Constraint-0</web-resource-name>
  <url-pattern/appmanager/website/portal?_nfpb=true&_pageLabel=myaccount</url-pattern> //line 1
  </web-resource-collection>
  <auth-constraint>
       <role-name>MyRole</role-name>
  </auth-constraint>
  <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  It gives me error in line 1 that
  "the reference to entity "_pagelabel" must end with ";" delimiter."
  What could be the reason for this. Cant i portect URLs of this kind in my web.xml?
  Any suggestions would be helpful.
  Thanks

  Shabd wrote:
  It gives me error in line 1 that
  "the reference to entity "_pagelabel" must end with ";" delimiter."
  What gives you an error?

• How To Use HttpUnit With FORM-based Authentication?

  I'm just getting started with HttpUnit, and I'm having a problem:
  How does one use HttpUnit with FORM-based authentication?
  I have a Web app where I specify a number of protected URLs. When a user tries to invoke one of them in a browser, Tomcat 4.1.30 brings up a login page that I specified and asks for a username and password. The values given by the user is checked against the tomcat-users.xml file. If the user is valid, Tomcat
  forwards the response from the original request. If invalid, an error page is displayed. The user is considered valid until either the session times out or the browser is closed.
  Does HttpUnit have to log into the app every time I run a test? How does it manage subsequent pages after login?

  I don't think that's true. HttpUnit is 100% Java and based on JUnit. HttpUnit has nothing to do with Apache, AFAIK. HttpUnit is for unit testing servlets and JSPs. Apache is a Web server. It doesn't have a servlet/JSP engine, unless you bolt Tomcat on top of it.
  Perhaps we're talking about two different packages. - %

• Big problem :anything is accepted by form-based authentication on Jboss

  Hi there
  I'm new to form-based authentication. I've been stuck on this problem for one and a half day. I set up the form-based authentication(with JDBC realm) on JBoss 3.2/Tomcat 5.0. When I visit the protected area, it did ask me for password. But it accepts whatever I input and forwards the desired page, even when I input nothing and just click on submit, it allows me to go through. No error message at all. I am in desperate need for help.
  Here is my configuration. The web.xml is like this
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <display-name>LoginTest</display-name>
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>DELETE</http-method>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>manager</role-name>
  </auth-constraint>
  <user-data-constraint><transport-guarantee>NONE</transport-guarantee></user-data-constraint>
  </security-constraint>
  <!-- Default login configuration uses form-based authentication -->
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description>Manager security role</description>
  <role-name>manager</role-name>
  </security-role>
  </web-app>
  I also add the following JDBC realm definition into the server.xml which is under jboss/server/default/deploy/jbossweb-tomcat50.sar
  <Realm
  className="org.apache.catalina.realm.JDBCRealm" debug="1"
  driverName="org.gjt.mm.mysql.Driver"
  connectionURL="jdbc:mysql://myipdadress:3306/field_bak"
  connectionName="plankton"
  connectionPassword="plankton"
  userTable="users"
  userNameCol="user_name"
  userCredCol="user_pass"
  userRoleTable="user_roles"
  roleNameCol="role_name"
  />
  The JDBC realm is enclosed by the <engine> element. I checked the server log file, when the jboss server is started, it does load the mysql driver correctly and connect to mysql database fine. If I changed the IP of the mysql server to a non-existing one, then when I start jboss server, the server boot process will complain about connection to mysql faiure.
  I guess maybe the server doesn't do the authentication by connecting to mysql and verify it when I submit the log in form. It seems the JDBC realm authentication is bypassed. I notice that even I get rid of the JDBC realm definition from the server.xml file, and test the web application. It behaves exactly the same way. It asks me for password but anything will go through even nothing.
  Can anybody help me about this? I'm really stuck on this.
  Thanks a lot!

  By the way, I did create database"field_bak" and the tables for the JDBC realm verification.
  I also created the users and the roles.
  But it seems like Tomcat container doesn't do the JDBC realm authentication.

• Window for Form-Based Authentication in web.xml for JAZN.

  Whether probably to make so that the form-authorization in Form-Based Authentication in web.xml for JAZN opened in a separate window?
  Thanks,
  Alexandre

  this is what i have so far...in my web.xml deployment descriptor
  am using Jbuilder 6 with tomcat.....if i run it from IDE, will the featuresi have added to the web.xml file...eg Error page be used ...or only when i deplo the app ???
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
  <web-app>
  <display-name>Java Pet Store</display-name>
  <description>Web Application for Reseach</description>
  <session-config>
  <session-timeout>54</session-timeout>
  </session-config>
  <welcome-file-list>
  <welcome-file>Default.jsp</welcome-file>
  </welcome-file-list>
  <error-page>
  <error-code>500</error-code>
  <location>/</location>
  </error-page>
  <taglib>
  <taglib-uri>PetStoreTagLib</taglib-uri>
  <taglib-location>/WEB-INF/PetStoreTagLib.tld</taglib-location>
  </taglib>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>SecurePages</web-resource-name>
  <url-pattern>Checkout.jsp</url-pattern>
  <url-pattern>OrderList.jsp</url-pattern>
  <url-pattern>OrderDetails.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>LoggedInUser</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/Login.jsp</form-login-page>
  <form-error-page>/ErrorPage.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description>Logged In User</description>
  <role-name>LoggedInUser</role-name>
  </security-role>
  </web-app>
  in setting up the tomcat-users.xml file am i to add table to my database, to relate the user to the role.......

• Problem in form based authentication

  Hi,
  I am encountering some problem in form based authentication.
  When I try to login for the first time. It reoute me to the image
  directory and not to the request page.
  When I try it for the second time, it shows
  "Form based authentication failed. Could not find session."
  And it always show this message no matter how many time I try.
  I am not sure is it something that I did not set ...
  Thanks for any advice.
  Eric

  Hi Eric,
  It may be a problem in your web.xml, I missed the "/" slash character
  in the web.xml's in <form-login-page> element. So your web.xml
  must look like

• Webgate : problem in Form based authentication

  I have configured a WebGate to protect an web application hosted on Sun WebServer 6.1.
  It works fine, If I use the basic authentication mechanism. If I access the application, it challenges me uid/pwd thru a small pop up window; after successful authentication I am redirected to the requested application.
  However, the same does not work for Form based authentication. The webgate plugin doe not look like picking the userid/ pwd field from the login.html. Also it redirect to the mentioned action "/access/dummy" in the html.
  My login.html for looks like this :
  <html>
  <form name="myloginform" action="/access/dummy" method="post">
       UserID <input type="text" name="userid" size="20">
       Password <input type="password" name="password" size="20">
       <input type="submit" name="submit" value="Login">
  </form>
  </html>
  Pls help me out, I have spent several hours debugging this. surprisingly, I have a different machine with exactly same set up works fine.
  Thanks

  Hi Eric,
  It may be a problem in your web.xml, I missed the "/" slash character
  in the web.xml's in <form-login-page> element. So your web.xml
  must look like

• Any one else have problems using 'FORM' based authentication in OC4J?

  Since I couldn't find any information on this from Oracle I went with the specifications from Orion.
  I am using Oracle Internet Directory Server for authentication of OC4J apps. I followed Orions specs for writing and pluging in your own usermanger to make calls to OID. Everything works fine when I use BASIC authentication but when I use FORM based authentication it fails to send the browser to the original url that was requested.
  The browser just displays a blank screen?
  You can tell that the client is authenticated because you can just request the URL again and it's displayed without prompting for a username/password.
  For the login in screen the only specs Orion gives is that your form has to have an action of 'j_security_check' and pass 'j_username' and 'j_password'.
  Does oracle have another way to do this, or has anyone else experienced this and no a way to fix it?

  Tom,
  Custom user authentication in Oc4J 1.0.2.2 is same in both Oc4J and Orion and we have tested that form based authentication works
  fine. In 9iAS Release 2 Oracle has an integerated JAAS implementation with OC4J which you can configure either to authenticate users from a encrypted file or users stored in OID.