Form-Based Security

I cannot seem to get container-managed security to work with Java Studio Creator.
I have a standard jsp page as the logon form, submitting to j_security_check. Authentication works correctly, but then, when the protected page is rendered, I keep getting the "Faces Context cannot be found" exception. Is this because I have a non-faces page between two faces pages?
Here are the steps:
1). Access the main page
2). Main faces page gets rendered correctly.
3). Access a link which sends the user to a protected page
4). Logon page gets rendered. (plain JSP or HTML file)
All is well so far
5). User credentials are submitted
6). Authentication works correctly
7). Forward user to the protected faces page
8). "Cannot find Faces Context" exception.
Obviously, I cannot create a "standard" jsp page in Creator, as Creator creates the faces context and the java backend automatically. I had to create the JSP page through a text editor, and save it to the Creator project directory.
The same thing happens if I create a regular HTML file in Creator with the same form submitting to j_security_check.
Anyone run into this? Has anyone gotten container-managed, forms-based security working with Creator?
Thanks.

Ummmm.... okay, I feel really foolish and stupid. I guess I was getting tunnel vision, staring at this project so much.
Sheesh! Thanks for the reply, j.f.brown! Had you not made the reply, who knows how long I would have stared at this problem.
I'm never going to live this down. heh heh.

Similar Messages

Using container managed form-based security in JSF

h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
    <navigation-rule>
<from-view-id>/login.jsp</from-view-id>
        <navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
        </navigation-case>
    </navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
    <jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
    <f:view>
        <webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
        </webuijsf:page>
    </f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
    public String button1_action() {
        setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
        return "loginproxy";
    }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry Randolph

If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry

Form based security in WebLogic 7.0 - back button quirk

I have an application comprised of several JSPs that are protected via Form based
security and enforce an SSL connection via the appropriate declarations in the
web.xml. This aspect of the application seems to be working with the exception
of one small quirk.
If a user presses that back button until such time as the receive the container
provided login page once again, and subsequently provide a valid user id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403 Forbidden
error that states that the server understood the request, but is refusing to fufill
it. This only seems to happen given the above course of events involving the
use of a back button in the browser (or selection of an item from the history
list). I suspect that this has something to do with the session id being cached
or something, but I'm not sure? Can anyone offer any assistance on this one?
Also, does anyone know of a way of preventing the user from bookmarking this container
provided login page as this also seems to be causing problems for users. If they
bookmark the first protected page of the application all is fine, but if they
bookmark the login page they receive the 403 error.
Thanks in advance!

The cure for the symtops described below was to simply add a welcome-file-list
element with appropriate welcome pages to the web.xml descriptor. It makes sense
now that I have worked it out.
Todd
"Todd Gould" <[email protected]> wrote:
>
I have an application comprised of several JSPs that are protected via
Form based
security and enforce an SSL connection via the appropriate declarations
in the
web.xml. This aspect of the application seems to be working with the
exception
of one small quirk.
If a user presses that back button until such time as the receive the
container
provided login page once again, and subsequently provide a valid user
id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403
Forbidden
error that states that the server understood the request, but is refusing
to fufill
it. This only seems to happen given the above course of events involving
the
use of a back button in the browser (or selection of an item from the
history
list). I suspect that this has something to do with the session id being
cached
or something, but I'm not sure? Can anyone offer any assistance on this
one?
Also, does anyone know of a way of preventing the user from bookmarking
this container
provided login page as this also seems to be causing problems for users.
If they
bookmark the first protected page of the application all is fine, but
if they
bookmark the login page they receive the 403 error.
Thanks in advance!

Form based security in WebLogic 7.0

I'm sorry for the beginner level question, but I seem to be missing a critical step
in getting Form based security to work. I have a Web application comprised of several
JSPs. I want to attache simple FORM based security contrainsts to all pages in the
app. Here are the exceprts from my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>DTSTAT</web-resource-name>
<url-pattern>/StateServlet/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Sysops</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/StateServlet/login.html</form-login-page>
<form-error-page>/StateServlet/login-error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Sysops</role-name>
</security-role>
The app deploys correctly and I have verified that the constrinsts, etc. are recognized
by WebLogic by inspecting the content displayed from the Admin console under the
"Edit Web Apllication Deployment Descriptor" link - all looks as I had expected and
matches the XML configuration above.
I then use the "Define Resources and Roles for Web Resource Collections" link. Under
the "Define Policies" section I see the constraints as defined above. I then use
the "Define Roles" link to define the "Sysops" role for this application and add
the condition "Caller is a member of the group" and use Administrators as the Group.
From this point, I invoke one of the JSPS in the app and presented with the Login
page as expected. However, no matter what I enter for user and password, I always
get the login-error page back. I'm purposely trying to keep this simple so that
I can use the system user as a test case (who is a member of the Administartors group).
However, I have also created an additional separate user and added them to the Administartors
group as well with the same unsuccessful results.
Can anyone help me out please? I've been reading the docs and seem to be missing
a key element somewhere.
Thanks in advance,
Todd

          Try to refer to the documentation for
          Configuring Security in Web Applications at
          http://e-docs.bea.com/wls/docs70///webapp/security.html
          Does the weblogic.log file contain any error or warning
          messages corresponding to your problem ?
          If you have a test case to reproduce the problem, you
          can contact BEA support at [email protected]
          Thanks
          Developer Relations Engineer

Adding an External Application that uses J2EE Form Based Security

I'm trying to add an External application that uses the J2EE Form based security. i.e. uses j_username, j_password and posts to j_security_check.
I don't really see how Oracle SSO will support this. The container needs to take control of a clients request and determines when the "Login" page is presented to establish credentials. Posting directly to j_security_check isn't working for me.
I'm using Sybase EAServer 4.12 as the external application.
Is this supported in Oracle SSO?
Do I need to provide a different mechanism for logging user's in?
Also, can someone explain what the benefit would be if I configured the EAServer app as a "Partner" app? I would still have to provide an interface for login. The input would be different but the end result would be the same I guess. What advantages does a Partner app have?
Lastly, is there an NNTP server for these forums?
Thanks.
Darrell

The cure for the symtops described below was to simply add a welcome-file-list
element with appropriate welcome pages to the web.xml descriptor. It makes sense
now that I have worked it out.
Todd
"Todd Gould" <[email protected]> wrote:
>
I have an application comprised of several JSPs that are protected via
Form based
security and enforce an SSL connection via the appropriate declarations
in the
web.xml. This aspect of the application seems to be working with the
exception
of one small quirk.
If a user presses that back button until such time as the receive the
container
provided login page once again, and subsequently provide a valid user
id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403
Forbidden
error that states that the server understood the request, but is refusing
to fufill
it. This only seems to happen given the above course of events involving
the
use of a back button in the browser (or selection of an item from the
history
list). I suspect that this has something to do with the session id being
cached
or something, but I'm not sure? Can anyone offer any assistance on this
one?
Also, does anyone know of a way of preventing the user from bookmarking
this container
provided login page as this also seems to be causing problems for users.
If they
bookmark the first protected page of the application all is fine, but
if they
bookmark the login page they receive the 403 error.
Thanks in advance!

WebLogic Form-based security

I am using form-based login to authenticate users. I want to tie all entry points
on successful login to a single page. Is there a way to accomplish this? In the
web.xml one can configure the error page to be forwarded to on login failure but
there is nothing on these lines for successful logins i.e. page to be forwarded to
login success.
<form-login-config>
<form-login-page> login.jsp</<form-login-page>
<form-error-page>error.jsp</<form-error-page>
</form-login-config>
Any ideas on how to accomplish this?
Sanjay

on login.jsp page do some jsp code that changes the j_target_url to the URL that you
want all users to be directed to
Cheers
Joe Jerry
I am using form-based login to authenticate users. I want to tie all entry points
on successful login to a single page. Is there a way to accomplish this? In the
web.xml one can configure the error page to be forwarded to on login failure but
there is nothing on these lines for successful logins i.e. page to be forwarded to
login success.
<form-login-config>
<form-login-page> login.jsp</<form-login-page>
<form-error-page>error.jsp</<form-error-page>
</form-login-config>
Any ideas on how to accomplish this?
Sanjay

How to trigger and change password for AD user after form based login

Hello,
We are authenticating against Active Directory with Weblogic 10.3 using FORM based security. Everything is working. I need to now change a password for an authenticated user. For example, I have set a user to have their password expire on next logon from the AD side. The user logs in but somehow I need to trap some info from Active Directory (or an LDAP conversation) to figure out if I need to force the user to change password.
Do I need to start looking at custom code with LDAP Java SDK's or can I use a canned MBean from Weblogic Server.
I am looking at http://www.mozilla.org/directory/ for LDAP.
Can I set/reset an AD user's password with an MBean like the following link?
http://download.oracle.com/docs/cd/E13222_01/wls/docs92/javadocs/index.html?weblogic/management/security/authentication/UserPasswordEditorMBean.html
If anyone has any experience with this or can point me in the right direction let me know.
If anyone else is interested please add to the tread and I'll be sure to keep the found solution(s) updated here.
Thanks...........
JJ Everett

Hello JJ
Please see document ID 403484.1 in http://metalink.oracle.com. This may help to understand what you are aiming to do. Cheers
-- Nathan

Form Based Role Validation

I am trying to use the form based security role validation. I am using JDeveloper's built in OC4J. I am getting to my login form but when I try to submit I get the following:
java.lang.IllegalArgumentException: Resource /j_security_check?j_username=myuserhere&j_password=mypasswordhere not found
I have the user defined in the principals.xml file I am specifying the location of the principals.xml file in the WEBAPPNAMEHERE-oc4j-app.xml file which seems to be where JDeveloper wants it.
Any ideas?

See section 12.5.3.1 of the Servlet 2.3 specification for details. You need to be sure your HTML file uses the j_security_check, j_username, and j_password names like this:
<form method=POST action=j_security_check>
<input type=text name=j_username>
<input type=password name=j_password>
</form>
The method must be POST, not GET. This means that the user/pass information will not be visible in the URL that is set back to the server; it will instead be in the HTTP request body.

How to make form based authenticaiton in adf security?

Hi all
How to make form based authenticaiton in adf security?
help give example video or project.
Thanks lhagva

Have you read the docs (http://download.oracle.com/docs/cd/E17904_01/web.1111/b31974/adding_security.htm)?
Timo

Web App Security Fallback (client-cert then form-based)

Can you setup a web application to fall back to form-based login if the
client-cert (i.e. identity assertion token) is not available. I think this
would be very valuable because once you've configured the web app to use the
"client-cert" authentication, you can't access the web app directly (i.e.
browser->weblogic server). You will always need to go through the perimeter
authenticator so the token gets sent.

Solution found:
The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
In your web.xml, forward your 401 code to login page:
<error-page>
<error-code>401</error-code>
<location>/form_login_page.html</location>
</error-page>
There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

How to configure a form based login page with entitlement role

We need to have login page to our portal app.
When using "form based" authentication is it possible to map the security on a
"entitlement role" ?
Our need is to be abled to give direct url acces to some pages of the portal (for
exemple by sending urls like "http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_pageLabel=mypage")"
by email to portal users) and need a simple mecanism of authentication before
redirecting to the portal page.
Inste

Olivier,
You can't reference WLP visitor roles in weblogic.xml, but you can
reference global roles (created using the WLS console):
- <security-role-assignment>
<role-name>PortalSystemAdministrator</role-name>
<externally-defined />
</security-role-assignment>
-Phil
"Olivier" <[email protected]> wrote in message
news:[email protected]..
>
We need to have login page to our portal app.
When using "form based" authentication is it possible to map the securityon a
"entitlement role" ?
Our need is to be abled to give direct url acces to some pages of theportal (for
exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
Label=mypage")"
by email to portal users) and need a simple mecanism of authenticationbefore
redirecting to the portal page.
Inste

How to redirect to j_security_check without the form based authentication

Hi,
I am trying to integrate my application authentication to a backend system with the ibm websphere form based authentication. Below is the scenario:
1. when the user clicks on a protected url, the container will redirect the user to the login page.
2. instead of displaying the login page, i would like to automatically redirect the user to j_security_check action. which means that instead of displaying the login.jsp page, the user will automatically be redirected to j_security_check to perform some user authentication, and if successful, the application pages will be displayed.
The reason i want to auto redirect the user to j_security_check is because i am implementing some integration work with a backend system. the user will key in the username/password from another system. once the user is authenticated, the user information will be passed to my system. The login page of my system will not be displayed again, and by using the username value, my system will assume that the user has successfully been authenticated (authentication done by the backend system), and therefore automatically gain authorization to login into my application.
i hope that clarifies my problem.
anyone out there has any solution to my problem?
thanks a lot in advance.

Hi Darren,
Let me explain the whole authentication environment.
There are actually 2 systems in this environment. Let;s call it system A and system B.
System B is actually using the authentication mechanism that i described in my previous message.
A login page will be presented to the user (within system A). User credential is collected and passed to system A to be authenticated. System A will use its own mechanism to authenticate the user.
Once the user is authenticated, system A will pass the user ID to system B. At this point, system B will assume that the user is authenticated and grant authorization to access the application. (system B global security is enabled and implements the form based authentication mechanism) Therefore, at this point, the redirect page (so called login page) will not be displayed to the user, instead it will be automatically redirected to the j_security_check action to execute the customer Ldap Registry class. (ps : eventhough authentication is no longer needed, the flow will still go to Ldap Registry class. A check is done in the Ldap Registry class to skip the authentication, if it is not boot strap login. Only first and only time authentication is done for boot strap login).
In the case a protected url is clicked or invoked by the user directly, the application will redirect the user to the initial login of system A. Otherwise (the url link originates from system A, during the passing of user token to system B), system B will redirect to j_security_check and execute the customer Ldap Registry class.
Based on the above explained scenario, in your opinion, is there any security loopholes? consider that system B no longer perform authentication but only to grant authorization to the user.
Appreciate your advice. Thanks in advance
Anyway, i am using the ibm websphere server. :)

MOAC / "Org-Based" Security

Hello,
I'm developing custom pl/sql for submitting concurrent requests/sets. For reference, here is what my initialization 'block' looks like in the pl/sql:
apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
apps.mo_global.set_policy_context('M');
apps.mo_global.init(appShortName);
(or)
apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
apps.mo_global.set_policy_context('S', org_id);
apps.mo_global.init(appShortName);
(depending on whether the user chooses a 'multi-org' context or 'single-org' context)
I just have a few general questions.
1) Is the "mo_global.set_policy_context" followed by "mo_global.init" proper form?
2) I understand that if you choose multi-org (set_policy_context('M')), it reads the 'fnd_global.apps_initialize'd user's "allowed orgs" from his profile options (I forget the exact ones at this moment). Is this correct?
3) Is the sole purpose of "multi-org" security for performing multiple operations on multiple orgs without having to switch responsibility?
4) Most importantly (saved this one for last), I'm reading about the various different kinds of security (namely, http://docs.oracle.com/cd/E14223_01/bia.796/e14219/security.htm#BGBIFAIG):
Operating Unit Org-Based security
Inventory Org-Based Security
Company Org-Based Security
Business Group Org-Based Security
HR Org-based Security
Payables Org-Based Security
Receivables Org-Based Security
SetID-Based Security
Position-Based Security
Ledger-Based Security
My question is, are all of these various "securities" all managed with organizations? In other words, will my code (above) enable users to use ANY of these different kinds of security, if they so choose?

Hey so seeing as this question hasn't really been answered yet I figure I'll give it another go.
I'm going to be very specific this time:
I run PL/SQL scripts against the EBS database in order to do things like schedule requests/request-sets. The first thing I do (always) is initialize the apps context:
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
Next, depending on the situation (still unsure when/why, but whatever), we initialize the org context. This is done by performing exactly one of the following steps.
apps.mo_global.set_policy_context('M', null);
OR
apps.mo_global.set_policy_context('S', org_id);
OR
apps.mo_global.init('appname');
Now, the ORG_ID comes from this statement:
SELECT organization_id FROM apps.org_organization_definitions2 WHERE organization_name = 'blah'
Again, I don't know why/when we need to do this or apparently what any of these things do but it's kind of beyond the scope of what I do. SOMEBODY chooses one of these, depending on their mood (or whatever factors :) ). Based on my model, the following are the possibilities thus far:
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
OR
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
apps.mo_global.set_policy_context('M', null);
OR
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
apps.mo_global.set_policy_context('S', org_id);
OR
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
apps.mo_global.init('appname');
After this, I use
apps.fnd_submit.submit_program('appName','progName','STAGEXYZ', args); <-- however many times I need
apps.fnd_submit.set_request_set('appname','requestSetName');
OR
apps.fnd_request.submit_request('appName','progName','description',starttime,FALSE, args);
My question is twofold:
1) Is this model generic enough? In other words, without doing anything extra, will people be able to do pretty much everything you could think of, at least in terms of running concurrent requests / sets? Will I ever - EVER - need to chain "set_policy_context" with "init"? <-- I would really love a yes/no answer because I am in no way/shape/form an EBS expert. I've read all the docs that I've been presented with thus far but I haven't found a straight answer to this yet.
2) I understand there are all different kinds of "org-based" security. Could I use my current code to initialize an inv_org, for example? If not, where could I turn for help? Are there other tables I should use for inv_orgs, hr_orgs, etc?
THANKS! YOU ARE THE BEST!

Error in Role Based security using weblogic 9

Hi All,
Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
<security-constraint>
     <web-resource-collection>
          <web-resource-name>Success</web-resource-name>
          <url-pattern>/form.jsp</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
          <role-name>admin</role-name>
     </auth-constraint>
     <user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>myrealm</realm-name>
</login-config>
<security-role>
     <role-name>admin</role-name>
</security-role>
When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
So can any one provide me the solution for the above problem.
Thanks in advance.
By,
Sandip Pradhan

Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

Logout Functionality in Form Based Authentication Not Working Properly

Hi All,
I am using Form Based Authentication in ADF. In this I followed the following steps:-
1.Login On Page.
2.In successful login page ,copy the url
3.Click on "Logout"
4.Paste the url in login page and click enter
5.System taking me back to that page where I can perform all the actions.
But the Login operation should not happen just by entering the url. Please provide any help how to stop redirecting to my authenticated page just by typing the url. This is a big security constraint.Any Assistance to this is highly appreciated.
Thanks & Regards
Lovenish Garg

Hi BaiG,
For Login I am using the form based authentication and for logout here is my code:-
public void logout() {
ExternalContext ectx =
FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
HttpSession session = (HttpSession)ectx.getSession(false);
session.invalidate();
response.setHeader("Cache-Control", "no-cache");
response.setHeader("expires", "0");
response.setHeader("Pragma", "no-cache");
try {
response.sendRedirect("AdminLogin.html");
} catch (IOException e) {
logger.severe(e.getMessage());
//Inform JSF to not take the response in hands
FacesContext.getCurrentInstance().responseComplete();
logger.info("session invalidated");
Thanks,
Lovenish Garg

Form-Based Security

Similar Messages

Maybe you are looking for