Form-based authentication stores the username/password pair in the session

Similar Messages

• FORM based authentication

  Hi,
  I'm using Oracle JDeveloper 9.0.3 with the embedded oc4j. I have configured for simple FORM based authentication by storing username/password in the principals.xml file.
  I am presented with the login form correctly when I try to access a protected resource, but my username/password is always rejected (I'm redirected to the error page after trying to log-in). Can someone pls help??
  The relevant portions of the contents of the deployment descriptor files that I'm using:
  principals.xml
  <principals>
  <groups>
  <group name="securegroup">
  <description>secureusers</description>
  </group>
  </groups>
  <users>
  <user username="testuser" password="test">
  <description>test user </description>
  <group-membership group="securegroup" />
  </user>
  </users>
  </principals>
  web.xml
  <web-app>
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
  <url-pattern>*</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  </web-resource-collection>
  <auth-constraint>
  <!-- Anyone with one of the listed roles may access this area -->
  <role-name>role1</role-name>
  </auth-constraint>
  </security-constraint>
  <!-- Default login configuration uses form-based authentication -->
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Example Form-Based Authentication Area</realm-name>
  <form-login-config>
  <form-login-page>login.jsp</form-login-page>
  <form-error-page>error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <!-- Security roles referenced by this web application -->
  <security-role>
  <role-name>role1</role-name>
  </security-role>
  </web-app>
  orion-application.xml
  <orion-application>
  <security-role-mapping name="role1">
  <group name="securegroup" />
  </security-role-mapping>
  </orion-application>
  application.xml (stored in my D:\JDeveloper\jdev\MyProj\MyProject\WEB-INF\src\META-INF folder)
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <!DOCTYPE application PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN" "http://java.sun.com/j2ee/dtds/application_1_2.dtd">
  <application>
  <security-role-mapping name="role1">
  <group name="securegroup" />
  </security-role-mapping>
  </application>

  REPOST
  <br><br>
  Keywords: form-login, principals.xml, embedded OC4J, authentication
  <p>
  Please see http://forums.oracle.com/forums/message.jsp?id=1266989
  <p>
  The provided link does not work.<br><br>
  In the application.xml of the OC4j config folder I have comemnted out the: <br> <jazn provider="XML" location="./jazn-data.xml"/>
  and added my roles mappings from web.xml :<br>
       <security-role-mapping name="OES_admin">
            <group name="administrators"/>
       </security-role-mapping>
  <p>
  plus in proncipals.xml have created an entry for my test user:<p>
            <user username="testusr" password="test">
                 <description>Just me</description>
                 <group-membership group="users" />
                 <group-membership group="guests" />
                 <group-membership group="administrators" />
            </user>
  <p>
  And still cannot run Form-authentication from inside jdeveloper .... authentication runs fine when the app is deployed to Tomcat5
  <p>
  Help Please, I'm using jdev 10.1.2.0
  Message was edited by:
  omar71

• How to get the username/password of the current owner of the running code

  Dear friends,
  Our product is running on the App Server(weblogic/websphere...) and we also use security provider(OpenLDAP) and kerberos to support SSO. Before, when a user tyies to login in the first time, the way we use to authenticate the user is:
  1) Accept the username/password
  2) Query the security provider(OpenLDAP) to get the principles.
  3) verity if the username/password is corrent or not.
  As we know, to query the principles, we need to provide a search user(both username and password) if we configured the access control of the ldap server:
  I have configured my envirioment as follows
  1) In the LDAP server, configured the Middle Tire user(The Operating System user running the App Server) to have the permission to query principles.
  2) The server is configured to runing on SSO envirioment.
  My question is could I get the username/password of the OS user running the App Server at runtime so that I can query the ldap server without explicitly providing the search user?
  Thanks,
  RR
  Edited by: Ricky Ru on Oct 9, 2011 1:50 AM

  Thanks EJP.
  I have made some progress on this. But I have met another issue.
  *1) Using JAAS to login.*
  loginContext.login();
                 Subject subject = loginContext.getSubject();
                 ldapContext = (LdapContext) Subject.doAs(subject, this);
  *2) Init the ldapContext to use the GSSAPI authentication*
  // this is called automatically by login()
       public Object run() {
            Hashtable ldapEnv = new Hashtable();
            ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            ldapEnv.put(Context.PROVIDER_URL, "ldap://9.30.215.197");
            ldapEnv.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
            ldapEnv.put(Context.SECURITY_PRINCIPAL,"");
            ldapEnv.put(Context.SECURITY_CREDENTIALS,"");
            //System.setProperty("sun.security.krb5.debug", "false");
            // This tells the GSS-API to use the cached ticket as
            // credentials, if it is available
            System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");     
            try {
                 InitialLdapContext ctx = new InitialLdapContext(ldapEnv,null);
  But I got the following exception when excuting new InitialLdapContext(ldapEnv,null);
  Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  Principal is [email protected]
  Commit Succeeded
  javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]]
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
       at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
       at LDAPKerbService.run(LDAPKerbService.java:66)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Subject.java:337)
       at LDAPKerbService.login(LDAPKerbService.java:40)
       at LDAPKerbService.main(LDAPKerbService.java:82)
  Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]
       at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
       ... 16 more
  Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))
       at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
       at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
       ... 17 more
  Caused by: KrbException: Integrity check on decrypted field failed (31)
       at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
       at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
       at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
       at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
       at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)
       at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
       ... 20 more
  Caused by: KrbException: Identifier doesn't match expected value (906)
       at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
       at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
       at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
       at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
       ... 25 more
  Do you have any clue on this? Thanks.

• Form based authentication very slow

  Hi,
  We are facing problem in form based login authentication. Any application having a form based authentication is taking too much time.
  We are running SAP J2EE Server 6.40 with SP16.
  The database and the J2EE server are in a single machine.
  The basic authentication does not show up any problem.
  The form based takes up too much amount of time but does go through.
  What can be the problem?
  Regards,
  Ameya

  Hi Ameya,
  if form based authentication is working fine for you then please send me complete step by step procedure or any document if you have any as i configured everything required for form based authentication and when i provide any of the .jsp page in the url i am not getting the login page. please help me as soon as possible

• Form based authentication problem

  Hi people, im new here. Im working on a small application and i have decided to work with Form Based authentication. Theres a index page in the root that redirect to welcome page but when i try to Run the first page im getting this exception.
  javax.servlet.jsp.JspException: Cannot find FacesContext at javax.faces.webapp.UIComponentTag.doStartTag(UIComponentTag.java:427) at com.sun.faces.taglib.jsf_core.ViewTag.doStartTag(ViewTag.java:125) at infrastructure.login._jspService(_login.java:53)
  I have been searching for a while in the web but i couldnt find anything that fix the problem. Can anybody give me a hand with this? The version of Jdeveloper is 10.1.3.2. Here are the web.xml file and index.jsp
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee">
  <description>Empty web.xml file for Web Application</description>
  <context-param>
  <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
  <param-value>client</param-value>
  </context-param>
  <context-param>
  <param-name>CpxFileName</param-name>
  <param-value>userinterface.DataBindings</param-value>
  </context-param>
  <filter>
  <filter-name>adfFaces</filter-name>
  <filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
  </filter>
  <filter>
  <filter-name>adfBindings</filter-name>
  <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>adfFaces</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
  <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
  <servlet-name>resources</servlet-name>
  <servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>resources</servlet-name>
  <url-pattern>/adf/*</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>35</session-timeout>
  </session-config>
  <mime-mapping>
  <extension>html</extension>
  <mime-type>text/html</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>txt</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <welcome-file-list>
  <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>
  <jsp-config/>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>todoLider</web-resource-name>
  <url-pattern>/faces/app/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>lider</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>infrastructure/login.jsp</form-login-page>
  <form-error-page>infrastructure/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>lider</role-name>
  </security-role>
  <security-role>
  <role-name>auxiliar</role-name>
  </security-role>
  <security-role>
  <role-name>docente</role-name>
  </security-role>
  <security-role>
  <role-name>veedor</role-name>
  </security-role>
  <security-role>
  <role-name>estudiante</role-name>
  </security-role>
  <ejb-local-ref>
  <ejb-ref-name>ejb/local/AsigFacade</ejb-ref-name>
  <ejb-ref-type>Session</ejb-ref-type>
  <local>datamodel.model.AsigFacadeLocal</local>
  <ejb-link>AsigFacade</ejb-link>
  </ejb-local-ref>
  </web-app>
  index.jsp
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  "http://www.w3.org/TR/html4/loose.dtd">
  <%@ page contentType="text/html;charset=windows-1252"%>
  <html>
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"/>
  <title>index</title>
  </head>
  <body><%response.sendRedirect("faces/app/welcome.jsp");%></body>
  </html>

  Servlet mapping for the Faces Servlet is
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  Is the input.jsp run by specifying the url in the browser?
  Run input.jsp with right-click>Run
  The url should include /faces/

• Form based Authentication Help needed.

  I am using form based authentication to validate a user logging into the website.
  In the web.xml I am using code similar to the following:
  <!-- LOGIN AUTHENTICATION -->
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>default</realm-name>
  <form-login-config>
  <form-login-page>login.jsp</form-login-page>
  <form-error-page>error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  When session times out, and user clicks on any link on the webpage, the user is sent to the main login page, with a new session. I need to display a message on this page stating that the session timed out due to inactivity. How can I go about doing this? Is it possible to send user to a different page with this message? Thanks in advance.

  More details of this can be found in this link:
  http://java.sun.com/webservices/docs/1.2/tutorial/doc/Security5.html

• How to redirect to j_security_check without the form based authentication

  Hi,
  I am trying to integrate my application authentication to a backend system with the ibm websphere form based authentication. Below is the scenario:
  1. when the user clicks on a protected url, the container will redirect the user to the login page.
  2. instead of displaying the login page, i would like to automatically redirect the user to j_security_check action. which means that instead of displaying the login.jsp page, the user will automatically be redirected to j_security_check to perform some user authentication, and if successful, the application pages will be displayed.
  The reason i want to auto redirect the user to j_security_check is because i am implementing some integration work with a backend system. the user will key in the username/password from another system. once the user is authenticated, the user information will be passed to my system. The login page of my system will not be displayed again, and by using the username value, my system will assume that the user has successfully been authenticated (authentication done by the backend system), and therefore automatically gain authorization to login into my application.
  i hope that clarifies my problem.
  anyone out there has any solution to my problem?
  thanks a lot in advance.

  Hi Darren,
  Let me explain the whole authentication environment.
  There are actually 2 systems in this environment. Let;s call it system A and system B.
  System B is actually using the authentication mechanism that i described in my previous message.
  A login page will be presented to the user (within system A). User credential is collected and passed to system A to be authenticated. System A will use its own mechanism to authenticate the user.
  Once the user is authenticated, system A will pass the user ID to system B. At this point, system B will assume that the user is authenticated and grant authorization to access the application. (system B global security is enabled and implements the form based authentication mechanism) Therefore, at this point, the redirect page (so called login page) will not be displayed to the user, instead it will be automatically redirected to the j_security_check action to execute the customer Ldap Registry class. (ps : eventhough authentication is no longer needed, the flow will still go to Ldap Registry class. A check is done in the Ldap Registry class to skip the authentication, if it is not boot strap login. Only first and only time authentication is done for boot strap login).
  In the case a protected url is clicked or invoked by the user directly, the application will redirect the user to the initial login of system A. Otherwise (the url link originates from system A, during the passing of user token to system B), system B will redirect to j_security_check and execute the customer Ldap Registry class.
  Based on the above explained scenario, in your opinion, is there any security loopholes? consider that system B no longer perform authentication but only to grant authorization to the user.
  Appreciate your advice. Thanks in advance
  Anyway, i am using the ibm websphere server. :)

• Updating password for Form Based authentication database using code

  Hi,
  We have created FBA(Form Based authentication) for SP2010. We are storing all the usernames and Passwords in FBA database. If any user changes their password needs to be save in FBA Database with latest password.
  can any one suggest me how to do this one.....
  Thanks....

  https://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.changepassword(v=vs.110).aspx
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• Reset Password In Form Based Authentication "OIM - OAM Integration" SSO

  Hi All
  I want to give Password Reset Option in the Form Based Authentication page for OIM-OAM SSO Application, could you please help me in that??
  my SSO is working with OIM 9.1.0.2BP06 with OAM 10.1.4.2.0, and i have created Simple Form in html, for the Authnetication, Now i want Password Reset Button on Form, and will have to reset through LDAP
  TA

  Provide the OIM links for registration and forgot password.
  If your OAM has a user store(LDAP) where OIM is provisioning, your changes will be reflected in OAM
  Hope this helps,
  Sagar

• Manager password in tomcat for form based authentication

  Hi all,
  I have a jsp using form based authentication.I have set up the web.xml,server.xml and created my database with the various users and roles but when i try to deploy the application,it as for the manger username/password and when i enter what i have in the database it refuses to connect.
  Anyone has any idea what i might be doiing wrong?
  Thans in advance

  Hi,
  I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file.

• J_security_check in form-based authentication - not checking for blank passwords

  I am using the LDAP Security Realm to authenticate against an iPlanet
  Directory Server. All works as expected when a user-id and password
  are entered for form-based authentication.
  However, when a userid is entered but no password, j_security_check
  logs the user in successfully. Aparently, this is correct LDAP
  behaviour as anonymous login to the LDAP server is permitted. It seems
  that the j_security_check servlet should check for blank passwords
  before trying to authenticate against the LDAP server and fail
  authentication if this is the case.
  Has anyone else experienced this problem?

  Hi Brian,
  I do not believe it is j_security_check's job to check for blank
  passwords.
  In many security realms, it is "legal" for a user to have a blank
  password. j_security_check forwards whatever password was entered so that
  even users with blank passwords can be authenticated by the realm on the
  backend. For this reason I believe that j_security_check is "doing the
  right thing" by just forwarding whatever is presented to it, rather than
  having its own logic. It is best if j_security_check just acts as a very
  dumb middle man.
  If behavior was altered, it is true that your particular problem would be
  solved, but then many other people would have a problem with their users
  with blank passwords authenticating properly...
  Try looking into how to disable anonymous logins on the LDAP end of
  things. Hope this helps.
  Cheers,
  Joe Jerry
  brian wrote:
  I am using the LDAP Security Realm to authenticate against an iPlanet
  Directory Server. All works as expected when a user-id and password
  are entered for form-based authentication.
  However, when a userid is entered but no password, j_security_check
  logs the user in successfully. Aparently, this is correct LDAP
  behaviour as anonymous login to the LDAP server is permitted. It seems
  that the j_security_check servlet should check for blank passwords
  before trying to authenticate against the LDAP server and fail
  authentication if this is the case.
  Has anyone else experienced this problem?

• Form based authentication getting logged in username and role

  Hi
  I have implemented a simple Form based authentication in my web site.
  I have maintained tomcat-users.xml file for user names, passwords and roles.
  Once my user is authenticated, I need to access his name and role in website.
  How can this be done.
  Please guide.
  Thanks

  The request object should contain the information, e.g. use request.getRemoteUser().

• Form Based Authentication in Tomcat, getting login and password

  Sorry for my English.
  How I can guess login and password strings of an user, from error page (JSP)using "Form Based Authentication of Tomcat"?
  I need know it to lock the count each 3 error tries (if login is ok but
  password is bad, insteed).
  Methods 'getRemoteUser', 'isUserInRole' and 'getUserPrincipal' of
  HttpServletRequest interface have this result: If no user has been
  authenticated, returns null, false and null respectly. For this reason, they aren't utils for me.
  If I don�t know login what user writed, I can't lock his/her count.
  Exist solution for this? Thanks

  hi i am also facing the same problem. could u please tell me how u overcame the situation ?
  u will reallly pull me out of my troubles
  thanx in advance
  [email protected]

• Form Based Authentication in SharePoint 2013: Getting The remote server returned an error: (500) Internal Server Error

  Hi
   I configured forms based authentication mode in Sharepoint 2013 site. When i tried to log in with windows authentication prompt it throws the following error
  The remote server returned an error: (500) Internal Server Error
  [WebException: The remote server returned an error: (500) Internal Server Error.] System.Net.HttpWebRequest.GetResponse() +8548300 System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +111 [ProtocolException:
  The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first
  1024 bytes of the response were: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  How to fix this issue?
  Regards,
  Siva

  Did you create a new web application or modify an existing web application?
  I would start by checking the ULS logs, maybe there is an incorrect setting within one of the web.config files, or SQL permissions.
  Also, as suggested above, check application pools are running.
  This blog post is a great guide for setting up FBA, check it through to make sure you haven't missed any steps:
  http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

• When I try to log in to iTunes Store on Apple TV, I get the message that the username is unknown or the password is wrong.

  Every time I try to log in to iTunes Store on AppleTV, I get the message that the username is unknown or the password is incorrect, even though they both work on iPhone, iTunes and Mac. I have been logged in before to rent movies, so the problem is new to me. And yes, I have chosen the right country for my iTunes Store under "settings". Anyone else who have the same experince?

  Many people have two Apple IDs, one for iTunes, these forums, and possibly hardware registration, and another created for use with iCloud. It's a common error to get them mixed up: you need to log into iCloud with your @me.com email address, not the ID you use for iTunes if this is different. If you want to reset your iCloud password go to http://appleid.apple.com and, again, sign in with your iCloud login.