Forms login security

Hi Friends,
How do I make our 3rd party appl forms login more secure?
Currently, the appl program uses a primitive database authentication method
by providing the username and password of the database in clear text inside
a .ini file. Changing the database user and password will be useless due to
password being exposed literally. Users of the application are registered in a table in the database with the password of the user exposed in clear text. An administrator or anybody with database access will be able see a user's password in clear text thus user authentication is compromised.
Can I change the username to point to the database username and not a table?
Can I incrypt the password table entry itself?
Can I incrypt the .ini file so as not to show literal passwords?
Can I use the form to get the userid/passwd from LDAP active directory server?
Please help ....thanks a lot

Are you sure that this is a Forms application and no JAVA-program ?
It seems that a JAVA programmer tried some forms development :p
The application may need some redesign.
My suggestion :
- the schema owner (database user holding the table objects) creates database
roles implementing reader roles, insert role update roles and so on
- each user will be created as a database user
- grant the required role(s) to the user, but dont set those roles as default_role
(ALTER USER xy DEFAULT_ROLE CONNECT, ...;
- rebuild the login procedure authenticating now against the database account
and not against the password in the application user-table
- let the user password expire whilst using the existing user-table (implement a password expiration date) or use the database account for that
- after successful login issue : DBMS_SESSION.SET_ROLE(...); for each
role of the user, the created session has now the roles enabled
- database roles should be password protected...
If this is too much effort, it is possible to encrypt the table entries using oracle's Obfuscation Packages (depends on RDBMS-version).
If your are using Oracle Forms > 6i :
In addition to that all above it is possible at least to authentify against the Oracle Portal (not sure if this works against a different OID)...
Message was edited by:
user434854

Similar Messages

Using container managed form-based security in JSF

h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
    <navigation-rule>
<from-view-id>/login.jsp</from-view-id>
        <navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
        </navigation-case>
    </navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
    <jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
    <f:view>
        <webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
        </webuijsf:page>
    </f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
    public String button1_action() {
        setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
        return "loginproxy";
    }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry Randolph

If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry

Form based security in WebLogic 7.0 - back button quirk

I have an application comprised of several JSPs that are protected via Form based
security and enforce an SSL connection via the appropriate declarations in the
web.xml. This aspect of the application seems to be working with the exception
of one small quirk.
If a user presses that back button until such time as the receive the container
provided login page once again, and subsequently provide a valid user id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403 Forbidden
error that states that the server understood the request, but is refusing to fufill
it. This only seems to happen given the above course of events involving the
use of a back button in the browser (or selection of an item from the history
list). I suspect that this has something to do with the session id being cached
or something, but I'm not sure? Can anyone offer any assistance on this one?
Also, does anyone know of a way of preventing the user from bookmarking this container
provided login page as this also seems to be causing problems for users. If they
bookmark the first protected page of the application all is fine, but if they
bookmark the login page they receive the 403 error.
Thanks in advance!

The cure for the symtops described below was to simply add a welcome-file-list
element with appropriate welcome pages to the web.xml descriptor. It makes sense
now that I have worked it out.
Todd
"Todd Gould" <[email protected]> wrote:
>
I have an application comprised of several JSPs that are protected via
Form based
security and enforce an SSL connection via the appropriate declarations
in the
web.xml. This aspect of the application seems to be working with the
exception
of one small quirk.
If a user presses that back button until such time as the receive the
container
provided login page once again, and subsequently provide a valid user
id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403
Forbidden
error that states that the server understood the request, but is refusing
to fufill
it. This only seems to happen given the above course of events involving
the
use of a back button in the browser (or selection of an item from the
history
list). I suspect that this has something to do with the session id being
cached
or something, but I'm not sure? Can anyone offer any assistance on this
one?
Also, does anyone know of a way of preventing the user from bookmarking
this container
provided login page as this also seems to be causing problems for users.
If they
bookmark the first protected page of the application all is fine, but
if they
bookmark the login page they receive the 403 error.
Thanks in advance!

Form based security in WebLogic 7.0

I'm sorry for the beginner level question, but I seem to be missing a critical step
in getting Form based security to work. I have a Web application comprised of several
JSPs. I want to attache simple FORM based security contrainsts to all pages in the
app. Here are the exceprts from my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>DTSTAT</web-resource-name>
<url-pattern>/StateServlet/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Sysops</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/StateServlet/login.html</form-login-page>
<form-error-page>/StateServlet/login-error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Sysops</role-name>
</security-role>
The app deploys correctly and I have verified that the constrinsts, etc. are recognized
by WebLogic by inspecting the content displayed from the Admin console under the
"Edit Web Apllication Deployment Descriptor" link - all looks as I had expected and
matches the XML configuration above.
I then use the "Define Resources and Roles for Web Resource Collections" link. Under
the "Define Policies" section I see the constraints as defined above. I then use
the "Define Roles" link to define the "Sysops" role for this application and add
the condition "Caller is a member of the group" and use Administrators as the Group.
From this point, I invoke one of the JSPS in the app and presented with the Login
page as expected. However, no matter what I enter for user and password, I always
get the login-error page back. I'm purposely trying to keep this simple so that
I can use the system user as a test case (who is a member of the Administartors group).
However, I have also created an additional separate user and added them to the Administartors
group as well with the same unsuccessful results.
Can anyone help me out please? I've been reading the docs and seem to be missing
a key element somewhere.
Thanks in advance,
Todd

          Try to refer to the documentation for
          Configuring Security in Web Applications at
          http://e-docs.bea.com/wls/docs70///webapp/security.html
          Does the weblogic.log file contain any error or warning
          messages corresponding to your problem ?
          If you have a test case to reproduce the problem, you
          can contact BEA support at [email protected]
          Thanks
          Developer Relations Engineer

Adding an External Application that uses J2EE Form Based Security

I'm trying to add an External application that uses the J2EE Form based security. i.e. uses j_username, j_password and posts to j_security_check.
I don't really see how Oracle SSO will support this. The container needs to take control of a clients request and determines when the "Login" page is presented to establish credentials. Posting directly to j_security_check isn't working for me.
I'm using Sybase EAServer 4.12 as the external application.
Is this supported in Oracle SSO?
Do I need to provide a different mechanism for logging user's in?
Also, can someone explain what the benefit would be if I configured the EAServer app as a "Partner" app? I would still have to provide an interface for login. The input would be different but the end result would be the same I guess. What advantages does a Partner app have?
Lastly, is there an NNTP server for these forums?
Thanks.
Darrell

The cure for the symtops described below was to simply add a welcome-file-list
element with appropriate welcome pages to the web.xml descriptor. It makes sense
now that I have worked it out.
Todd
"Todd Gould" <[email protected]> wrote:
>
I have an application comprised of several JSPs that are protected via
Form based
security and enforce an SSL connection via the appropriate declarations
in the
web.xml. This aspect of the application seems to be working with the
exception
of one small quirk.
If a user presses that back button until such time as the receive the
container
provided login page once again, and subsequently provide a valid user
id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403
Forbidden
error that states that the server understood the request, but is refusing
to fufill
it. This only seems to happen given the above course of events involving
the
use of a back button in the browser (or selection of an item from the
history
list). I suspect that this has something to do with the session id being
cached
or something, but I'm not sure? Can anyone offer any assistance on this
one?
Also, does anyone know of a way of preventing the user from bookmarking
this container
provided login page as this also seems to be causing problems for users.
If they
bookmark the first protected page of the application all is fine, but
if they
bookmark the login page they receive the 403 error.
Thanks in advance!

HT204088 Please help login security questiona

Hi I have an security question which I have not done before so that I could not download my iTunes download

First I followed the instruction from the following website to setup the driver. http://www.deitel.com/books/simplyJava1/simplyjava1_AccessDatabaseInstructions.pdf
Then I added the following REALM to my App2.xml
   <Realm className="org.apache.catalina.realm.JDBCRealm"
          driverName="sun.jdbc.odbc.JdbcOdbcDriver"
       connectionURL="jdbc:odbc:DATABASE"
           userTable="user" userNameCol="usr" userCredCol="pswrd"
       userRoleTable="role" roleNameCol="role" />Here is what i have in my web.xml
    <security-constraint>
      <display-name>Security Constraint</display-name>
      <web-resource-collection>
         <web-resource-name>Protected</web-resource-name>
         <url-pattern>/*</url-pattern>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
         
         <role-name>Manager</role-name>
      </auth-constraint>
    </security-constraint>
    
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Form-Based Authentication</realm-name>
      <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
    </login-config>
    
    <security-role>
       <role-name>Manager</role-name>
    </security-role>

Enhanced login security and password ageing in SAP R3 Enterprise 110

Hi,
today we will activate "Enhanced login security and password ageing" on our R3 (SAP R3 Enterprise 110) development environment.
new parameters
Enhanced login security and password ageing
login/min_password_lng = 8
login/password_expiration_time = 365
login/min_password_diff = 2
login/min_password_letters = 1
login/min_password_digits = 1
anyone any expirience on possible problems which can occur after activating these new settings.
Many thanks in advance
Patrick Van Vlerken

No... this should do what it sais in the tin.
Read,
http://www.*********************/password_sap.htm
Regards
Juan

How to use form-login in iPlanet?

Hi guys:
I tried to use J2EE form-based login feature to trigger user authentication,
but I can only specify the login page and the login error page, so how to
redirector the location after user login successful?
Thanks

You need to try to reach a page/servlet/pattern that is protected. Then the j_security_check action in your form-login page will be populated with the relevant parameters. You will be presented with a login page when you try to access the servlet, then you will be redirected to the appropriate protected resource.

Form-Based Security

I cannot seem to get container-managed security to work with Java Studio Creator.
I have a standard jsp page as the logon form, submitting to j_security_check. Authentication works correctly, but then, when the protected page is rendered, I keep getting the "Faces Context cannot be found" exception. Is this because I have a non-faces page between two faces pages?
Here are the steps:
1). Access the main page
2). Main faces page gets rendered correctly.
3). Access a link which sends the user to a protected page
4). Logon page gets rendered. (plain JSP or HTML file)
All is well so far
5). User credentials are submitted
6). Authentication works correctly
7). Forward user to the protected faces page
8). "Cannot find Faces Context" exception.
Obviously, I cannot create a "standard" jsp page in Creator, as Creator creates the faces context and the java backend automatically. I had to create the JSP page through a text editor, and save it to the Creator project directory.
The same thing happens if I create a regular HTML file in Creator with the same form submitting to j_security_check.
Anyone run into this? Has anyone gotten container-managed, forms-based security working with Creator?
Thanks.

Ummmm.... okay, I feel really foolish and stupid. I guess I was getting tunnel vision, staring at this project so much.
Sheesh! Thanks for the reply, j.f.brown! Had you not made the reply, who knows how long I would have stared at this problem.
I'm never going to live this down. heh heh.

WebLogic Form-based security

I am using form-based login to authenticate users. I want to tie all entry points
on successful login to a single page. Is there a way to accomplish this? In the
web.xml one can configure the error page to be forwarded to on login failure but
there is nothing on these lines for successful logins i.e. page to be forwarded to
login success.
<form-login-config>
<form-login-page> login.jsp</<form-login-page>
<form-error-page>error.jsp</<form-error-page>
</form-login-config>
Any ideas on how to accomplish this?
Sanjay

on login.jsp page do some jsp code that changes the j_target_url to the URL that you
want all users to be directed to
Cheers
Joe Jerry
I am using form-based login to authenticate users. I want to tie all entry points
on successful login to a single page. Is there a way to accomplish this? In the
web.xml one can configure the error page to be forwarded to on login failure but
there is nothing on these lines for successful logins i.e. page to be forwarded to
login success.
<form-login-config>
<form-login-page> login.jsp</<form-login-page>
<form-error-page>error.jsp</<form-error-page>
</form-login-config>
Any ideas on how to accomplish this?
Sanjay

How to CORRECTLY do a form Login and get a cookie in return???

Hi,
I am a relatively new developer and this is actualy my first post ever. I ussually find everything i need in other posts but for some reason this time i have been miserably unsuccessful and am close to pulling my hair out.
I am trying to login to a website using some sort of form login so that it returns a cookie that i can than use to download files or access pages.
Now here is the actual html of the website:
<form name="login" action="https://www.website.com.au/login/login_action.cfm" method="post">
<div class="username">
<input name="contact_username" type="text" size="16" maxlength="60" />
</div>
<div class="password">
<input name="contact_password" type="password" size="16" maxlength="60" />
</div>
<div class="login">
<img id="li" src="/corporate/images/login_up.gif" alt="Login Button" onMouseOut="MM_swapImgRestore();"
onMouseOver="MM_swapImage('li','','/corporate/images/login_over.gif',1);" onclick="check_submit();" />
</div>
</form>
Could some one PLEEEEEASE let me know the code that i could use to successfuly login and return a cookie.
I have already created the code the uses the cookie to access pages. (I got the cookie from login normally using web browser).
So now i just need to know how i can login and get a cookie returned to the above form????
PLEASE PLEASE HELP.
Thanks in advanced :)

1) I'm wondering how this all applies to Java. What Java code have you tried and has failed here? Are you talking about Java or Javascript? JSP?
2) Please don't cross-post this in multiple forums. That only pisses us off and will guarantee you less help than if you didn't do this. Imagine a volunteer giving of his free time to help someone, spending say an hour or more trying to come up with a solution, then finding after posting that the solution was already given in a cross-post, and you'll know why this is very much frowned upon in these forums. Choose one thread to be the active thread, and then put a note in the other thread directing posters to the active thread (if you really want help that is).

Single form for secure zone registration and web app submission?

Hi
Is it possible to setup a form where a user can simultaneously register for a secure zone and submit a web app entry? The knowledge base / tutorials describe a two step process (web form for secure zone registration and web app input form for web app submission), but I would like users to be able to do both with a single form
Thanks in advance for any suggestions
mls

In order to have a customer create a web app item they must be logged into the secure zone already. I've seen some instructions on how to let users submit web app items outside a secure zone but that requires creating a dummy anonymous user and logging them into the secure zone via javascript. You could use this method and once it's submitted you'll have to manually attach the web app item to the correct user in the BC Admin. That might not work for you but you can read more about that at http://forums.adobe.com/docs/DOC-1784
You can't use the above solution with the current user's username and password because those tags are only available when the user is logged into a secure zone already. If your signup form needs to be filled out first, the user isn't logged in.
Your best bet is to have the public signup form redirect the user after submission to an "Add item" form you have created. Maks sure that form is in a secure zone so when they add the item it is attached to their account.
If you don't want to redirect them to a secure zone and want it more seamless you could try to use some javascript/ajax to submit the form via javascript and after the form is submitted, use the javascript code in the above to log them in (be careful to use the https://yoursite.worldsecuresystems.com url if you are passing username and password info gathered from your form to log them in via javascript/ajax). Once they are logged in via the javascript you can use more ajax to fetch a page's HTML that resides in a secure zone. This HTML returned from the javascript can be your "add web app item" form and since they were logged in via javascript (securely, right?) this HTML should contain the right information. Insert this returned HTML into your form container that held the original signup form and they can continue to add a web app item without having to log in.
This is theory and might work but you'll have to start experimenting with it via javascript. I haven't actually tried to do this so hopefully some other community members who might have tried this can weigh in here as well.
Good luck!

Make a contact form information secure

I use Dreamweaver CC and Business Catalyst.
I want to make sure that the infomation people send to me in my contact forms is secure!
Does anyone have any advise for me on the best way to do this?
Thanks

The information is sent into BC into the CRM which you can only access by logging in to the admin or API through secure authentication.
You recieve a workflow notification summary of that to your email. You can stop the form havinga workflow if you do not want that to go to your email if you feel your email is not secure.
All BC data and information is secure.

Form function security (how to make form Updatable)

Hi...friends...
I have one standard oracle form. Data of that form is updatable in 11.5.7 instances...I can insert,update and delete.
But, we had upgraded Apps to 11.5.10...so, now the same form data is not updatable..I can insert, but cant delete or update...
So, is there any thing like form function security attached with that form or responsibilities in previous version... which are not in new 11.5.10 ??
How can I make that form contents updatable through Sys. Admin. concept.
(not through Form Builder Design)
Thanks in advance....

Thank you guys..
actually, it was a bug with 11.5.7 oracle versions specific to one check box value.
it was treating check box values as,
i) checked then 'Y
ii) Null then 'Null' ------- the problem was here...due to null, query was not fetching data and that form is having flag which understands only 'Y' or 'N'
iii) not checked then 'N'
anyway thanks to u all...

ADF form login vs. press enter

I use the default ADF form login, however, it requires a mouse click, and not responding to the "press enter/return". Any idea?
Thanks,

Thanks, Frank. I actually used a custom LoginPage.jspx, NOT the default HTML form login:
<?xml version='1.0' encoding='UTF-8'?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:af="http://xmlns.oracle.com/adf/faces/rich">
<jsp:directive.page contentType="text/html;charset=UTF-8"/>
<f:view>
<af:document title="Form Login" id="d1">
<af:form id="f1">
<af:message id="m1"/>
<af:panelBox text="Login" id="pb1"
inlineStyle="width:300px; height:200.0px;">
<af:panelFormLayout id="pfl1">
<f:facet name="footer">
<af:panelBorderLayout id="pbl1"
inlineStyle="height:20.0px; "
styleClass="AFStretchWidth">
<f:facet name="start">
<af:commandButton text="Login" id="cb1"
action="#{loginBean.doLogin}"/>
</f:facet>
</af:panelBorderLayout>
</f:facet>
<af:inputText label="User Name" id="it1" required="true"
value="#{loginBean.username}"/>
<af:inputText label="Password" id="it2" required="true"
secret="true"
value="#{loginBean.password}"/>
</af:panelFormLayout>
</af:panelBox>
<f:facet name="toolbar"/>
</af:form>
</af:document>
</f:view>
</jsp:root>

Forms login security

Similar Messages

Maybe you are looking for