Get j_username in form based authentication

I would like to get access to j_username when form-based authentication fails, i.e. if the user does not enter a valid username/password combination. What is best way to do this. I have looked in this forum and have seen mention of using servlets, filters, SAAJ, etc. Example code would be much appreciated.
Martin

hello all,
I am using WebSphere and some how my filter is not being invoked, although my form based authentication works fine !!
I am trying to do some post login in the filter but my filter isnt called....
My filter is defined as follows
     <filter>
          <filter-name>LoginFilter</filter-name>
          <display-name>LoginFilter</display-name>
          <filter-class>pkg.LoginFilter</filter-class>
     </filter>
     <filter-mapping>
          <filter-name>LoginFilter</filter-name>
          <url-pattern>/j_security_check</url-pattern>
     </filter-mapping>What am I doing wrong??
Also is there a possibiity that i can call my action class from the filter by mapping my action class as a servlet mapping to the filter?
if so, how can i do it ?

Similar Messages

Get user and user-roles in form based authentication

How do I get user and roles associated with the user in my bean for "form based authentication".
regards,
nirvan.

HttpServletRequest#getUserPrincipal().
This has nothing to do with JSF. Form based authentication is part of Servlet spec.
In JSF you can get the HttpServletRequest by ExternalContext#getRequest().

Get authenticated programmtically in FORM-based authentication

Hi, friends,
Does anybody know how to get authenticated programmtically when access some servlet
in FORM-based authentication ?
I have some Java programs running on a server other than weblogic application
server. And I want to use HTTP request programmtically to talk to a servlet on
WebLogic 6.0. For basic authentication, i can add authorization info into the
request, how can I do that for form-based authentication ?
Thanks
John

Hi John,
Yep, it's WebLogic-specific.
Check out
http://e-docs.bea.com/wls/docs61///javadocs/weblogic/servlet/security/ServletAuthentication.html
for more information
Cheers,
Joe Jerry
John Chen wrote:
Hi, Joe,
Is that weblogic specific API ? Could you tell a bit more detail on how to use
that ?
Thanks
John
Jerry <[email protected]> wrote:
ServletAuthentication.weak() should do what you want
Cheers,
Joe Jerry
John Chen wrote:
Hi, friends,
Does anybody know how to get authenticated programmtically when accesssome servlet
in FORM-based authentication ?
I have some Java programs running on a server other than weblogic application
server. And I want to use HTTP request programmtically to talk to aservlet on
WebLogic 6.0. For basic authentication, i can add authorization infointo the
request, how can I do that for form-based authentication ?
Thanks
John

Form Based Authentication in SharePoint 2013: Getting The remote server returned an error: (500) Internal Server Error

Hi
I configured forms based authentication mode in Sharepoint 2013 site. When i tried to log in with windows authentication prompt it throws the following error
The remote server returned an error: (500) Internal Server Error
[WebException: The remote server returned an error: (500) Internal Server Error.] System.Net.HttpWebRequest.GetResponse() +8548300 System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +111 [ProtocolException:
The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first
1024 bytes of the response were: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
How to fix this issue?
Regards,
Siva

Did you create a new web application or modify an existing web application?
I would start by checking the ULS logs, maybe there is an incorrect setting within one of the web.config files, or SQL permissions.
Also, as suggested above, check application pools are running.
This blog post is a great guide for setting up FBA, check it through to make sure you haven't missed any steps:
http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

Form based authentication getting logged in username and role

Hi
I have implemented a simple Form based authentication in my web site.
I have maintained tomcat-users.xml file for user names, passwords and roles.
Once my user is authenticated, I need to access his name and role in website.
How can this be done.
Please guide.
Thanks

The request object should contain the information, e.g. use request.getRemoteUser().

Form Based Authentication in Tomcat, getting login and password

Sorry for my English.
How I can guess login and password strings of an user, from error page (JSP)using "Form Based Authentication of Tomcat"?
I need know it to lock the count each 3 error tries (if login is ok but
password is bad, insteed).
Methods 'getRemoteUser', 'isUserInRole' and 'getUserPrincipal' of
HttpServletRequest interface have this result: If no user has been
authenticated, returns null, false and null respectly. For this reason, they aren't utils for me.
If I don�t know login what user writed, I can't lock his/her count.
Exist solution for this? Thanks

hi i am also facing the same problem. could u please tell me how u overcame the situation ?
u will reallly pull me out of my troubles
thanx in advance
[email protected]

Form-based authentication problem with weblogic

Hi Everyone,
The following problem related to form-based authentication
was posted one week ago and no reponse. Can someone give it
a shot? One more thing is added here. When I try it on J2EE
server and do the same thing, I didn't encounter this error
message, and I am redirected to the homeage.
Thanks.
-John
I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
"Form based authentication failed. Could not find session."
When I check the LOG file, it gives me the following message,
"Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
weblogic.httpd.session.enable=true

Hi...
Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
cheers...
Jerson
"John Wang" <[email protected]> wrote:
>
Hi Jerson,
I tried your code this weekend, it didn't work in my case. But
I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
Thanks.
-John
"Jerson Chua" <[email protected]> wrote:
I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
Jerson
package com.cyberj.catalyst.web;
import weblogic.servlet.security.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class Authenticate extends HttpServlet {
private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, java.io.IOException {
int authenticated = sa.weak(request, response);
if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
response.sendRedirect("fail_login.jsp");
} else {
response.sendRedirect("Home.jsp");
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, java.io.IOException {
doPost(request, response);
"Jerson Chua" <[email protected]> wrote:
The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
Has anyone solved this problem? I've tried the example itself and the same problem occurs.
Jerson
"Cameron Purdy" <[email protected]> wrote:
Jerson,
First try it redirected (raw) to see if that indeed is the problem ... then
if it works you can "fix" it the way you want.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Jerson Chua" <[email protected]> wrote in message
news:[email protected]...
Hi...
Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
another indirection where I will redirect it to another servlet but the
password is encrypted.
What do you think?
thanks....
Jerson
"Cameron Purdy" <[email protected]> wrote:
Maybe redirect to the current URL after killing the session to let the
request clean itself up. I don't think that a lot of the request (such
as
remote user) will be affected by killing the session until the nextrequest
comes in.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Jerson Chua" <[email protected]> wrote in message
news:[email protected]...
Hello guys...
I've a solution but it doesn't work yet so I need your help. Because
one
of the reason for getting form base authentication failed is if an
authenticated user tries to login again. For example, the one mentionedby
John using the back button to go to the login page and when the user logsin
again, this error occurs.
So here's my solution
Instead of submitting the page to j_security_check, submit it to a
servlet
which will check if the user is logged in or not. If yes, invalidates its
session and forward it to j_security_check. But there's a problem in this
solution, eventhough the session.invalidate() (which actually logs theuser
out) is executed before forwarded to j_security_check, the user doesn't
immediately logged out. How did I know this, because after calling
session.invalidate, i tried calling request.RemoteUser() and it doesn't
return null. So I'm still getting the error. What I want to ask you guyis
how do I force logout before the j_security_check is called.
here's the code I did which the login.jsp actually submits to
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class Authenticate extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, java.io.IOException {
if (request.getRemoteUser() != null) {
HttpSession session = request.getSession(false);
System.out.println(session.isNew());
session.invalidate();
Cookie[] cookies = request.getCookies();
for (int i = 0; i < cookies.length; i++) {
cookies.setMaxAge(0);
getServletContext().getRequestDispatcher("/j_security_check").forward(reques
t, response);
public void doGet(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, java.io.IOException {
doPost(request, response);
let's help each other to solve this problem. thanks.
Jerson
"Jerson Chua" <[email protected]> wrote:
I thought that this problem will be solved on sp6 but to my
disappointment, the problem is still there. I'm also using RDBMSRealm,same
as John.
Jerson
"Cameron Purdy" <[email protected]> wrote:
John,
1. You are using a single WL instance (i.e. not clustered) on that
NT
box
and doing so without a proxy (e.g. specifying http://localhost:7001),
correct?
2. BEA will pay more attention to the problem if you upgrade to SP6.If
you don't have a reason NOT to (e.g. a particular regression), then
you
should upgrade. That will save you one go-around with support: "Hi,I
am
on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
it.
Call back if that doesn't work."
3. Make sure that you are not doing anything special before or after
J_SECURITY_CHECK ... make sure that you have everything configuredand
done
by the book.
4. Email BEA a bug report at [email protected] ... see what they say.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"John Wang" <[email protected]> wrote in message
news:[email protected]...
Cameron,
It seems to me that the problem I encountered is different a little
from
what you have, evrn though the error message is the same eventually.
Everytime I go through, I always get that error.
I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
to
work
around this problem? If it was a BUG as you
pointed out, is there a way we can report it to the Weblogic
technical support and let them take a look?
Thnaks.
-John
"Cameron Purdy" <[email protected]> wrote:
John,
I will verify that I have seen this error now (after having read
about it
here for a few months) and it had the following characteristics:
1) It was intermittent, and appeared to be self-curing
2) It was not predictable, only seemed to occur at the first
login
attempt,
and may have been timing related
3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
proxy
was
Apache (Stronghold)
4) After researching the newsgroups, it appears that this "bug"
may
have gone away temporarily (?) in SP5 (although Jerson Chua
<[email protected]> mentioned that he still got it in SP5)
I was able to reproduce it most often by deleting the tmpwar and
tmp_deployments directories while the cluster was not running,
then
restarting the cluster. The first login attempt would fail(roughly
90%
of
the time?) and that server instance would then be ignored by the
proxy
for a
while (60 seconds?) -- meaning that the proxy would send all
traffic,
regardless of the number of "clients", to the other server in thecluster.
As far as I can tell, it is a bug in WebLogic, and probably has
been
there
for quite a while.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"John Wang" <[email protected]> wrote in message
news:[email protected]...
Hi Everyone,
The following problem related to form-based authentication
was posted one week ago and no reponse. Can someone give it
a shot? One more thing is added here. When I try it on J2EE
server and do the same thing, I didn't encounter this error
message, and I am redirected to the homeage.
Thanks.
-John
I am using weblogic5.1 and RDBMSRealm as the security realm. I
am
having
the following problem with the form-based authentication login
mechanism.
Does anyone have an idea what the problem is and how to solve it?
When I login my application and logout as normal procedure, it
is
OK.
But
if I login and use the browser's BACK button to back the login
page
and
try
to login as a new user, I got the following error message,
"Form based authentication failed. Could not find session."
When I check the LOG file, it gives me the following message,
"Form based authentication failed. One of the following reasons
could
cause it: HTTP sessions are disabled. An old session ID was stored
in
the
browser."
Normally, if you login and want to relogin without logout first,
it
supposes to direct you to the existing user session. But I don'tunderstand
why it gave me this error. I also checked my property file, it
appears
that
the HTTP sessions are enabled as follows,
weblogic.httpd.session.enable=true

Faces context not found (Form based authentication)

<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/jsp/WorkingZone.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/Login/login.jsp</form-login-page>
<form-error-page>/Login/error.jsp</form-error-page>
</form-login-config>
</login-config>
when i tried to login with valid user the the url shows
http://localhost:8080/FormAuth/jsp/WorkingZone.jsp
how to append faces context automatically.
I am not finding for this faces context.
Plz suggest me a solution soon.
Thanks
Raghavendra Pattar

The FacesContext is created by FacesServlet which is
definied in the web.xml with an url-pattern.
If you just follow the url-pattern of this
FacesServlet, usually /faces/ or *.faces, or *.jsf,
then the FacesContext will be created.Hi balu,
this is the web.xml that i am using
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
</context-param>
<context-param>
    <param-name>javax.faces.CONFIG_FILES</param-name>
    <param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
</context-param>
<context-param>
    <param-name>com.sun.faces.validateXml</param-name>
    <param-value>true</param-value>
</context-param>
<context-param>
    <param-name>com.sun.faces.verifyObjects</param-name>
    <param-value>false</param-value>
</context-param>
<filter>
    <filter-name>UploadFilter</filter-name>
    <filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
    <init-param>
      <description>
          The maximum allowed upload size in bytes. If this is set
          to a negative value, there is no maximum. The default
          value is 1000000.
        </description>
      <param-name>maxSize</param-name>
      <param-value>1000000</param-value>
    </init-param>
    <init-param>
      <description>
          The size (in bytes) of an uploaded file which, if it is
          exceeded, will cause the file to be written directly to
          disk instead of stored in memory. Files smaller than or
          equal to this size will be stored in memory. The default
          value is 4096.
        </description>
      <param-name>sizeThreshold</param-name>
      <param-value>4096</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>UploadFilter</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet>
    <servlet-name>ThemeServlet</servlet-name>
    <servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>ThemeServlet</servlet-name>
    <url-pattern>/theme/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
    <welcome-file></welcome-file>
     </welcome-file-list>
<jsp-config>
    <jsp-property-group>
      <url-pattern>*.jspf</url-pattern>
      <is-xml>true</is-xml>
    </jsp-property-group>
</jsp-config>
<security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
        <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>manager</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Example Form-Based Authentication Area</realm-name>
    <form-login-config>
      <form-login-page>/Login/login.jsp</form-login-page>
      <form-error-page>/Login/error.jsp</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <role-name>manager</role-name>
</security-role>
</web-app>1)My requirement is Login page should be the first page
If enter the valid user and password
then i will get directory structure
when i click the secured JSF page inside secure
i got this URL
http://localhost/secure/WorkingZone.jsp
obiviously /faces is missing
and i am getting faces context not found.
If u need further clarification i will send u..
Plz reply me...

Big problem :anything is accepted by form-based authentication on Jboss

Hi there
I'm new to form-based authentication. I've been stuck on this problem for one and a half day. I set up the form-based authentication(with JDBC realm) on JBoss 3.2/Tomcat 5.0. When I visit the protected area, it did ask me for password. But it accepts whatever I input and forwards the desired page, even when I input nothing and just click on submit, it allows me to go through. No error message at all. I am in desperate need for help.
Here is my configuration. The web.xml is like this
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>LoginTest</display-name>
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint><transport-guarantee>NONE</transport-guarantee></user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Manager security role</description>
<role-name>manager</role-name>
</security-role>
</web-app>
I also add the following JDBC realm definition into the server.xml which is under jboss/server/default/deploy/jbossweb-tomcat50.sar
<Realm
className="org.apache.catalina.realm.JDBCRealm" debug="1"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://myipdadress:3306/field_bak"
connectionName="plankton"
connectionPassword="plankton"
userTable="users"
userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles"
roleNameCol="role_name"
/>
The JDBC realm is enclosed by the <engine> element. I checked the server log file, when the jboss server is started, it does load the mysql driver correctly and connect to mysql database fine. If I changed the IP of the mysql server to a non-existing one, then when I start jboss server, the server boot process will complain about connection to mysql faiure.
I guess maybe the server doesn't do the authentication by connecting to mysql and verify it when I submit the log in form. It seems the JDBC realm authentication is bypassed. I notice that even I get rid of the JDBC realm definition from the server.xml file, and test the web application. It behaves exactly the same way. It asks me for password but anything will go through even nothing.
Can anybody help me about this? I'm really stuck on this.
Thanks a lot!

By the way, I did create database"field_bak" and the tables for the JDBC realm verification.
I also created the users and the roles.
But it seems like Tomcat container doesn't do the JDBC realm authentication.

FORM based Authentication issue on Sun ONE AS7

I am trying to use FORM based authentication for a web module I created, and can not get it to work. I have registered the roles through the admin console of the server, and adjusted the web.xml. When I try to use BASIC authentication, I get a 'Authentication refused for []' message before I even log in, and another one after I do. When I use FORM authentication, the URL points to my login.jsp page (no matter what I put in the path, which is what is supposed to happen), however my default servlet (hello.java) is actually run, and the login.jsp page never comes up. I created my jsps and servlet in the mounted [ejb]_WebModule. Please let me know if something seems incorrect here, or if you can think of something I should check...I can't find anything out there to help me.
Here is my web.xml:
<web-app>
<display-name>DiningGuideManager_TestApp</display-name>
<servlet>
<servlet-name>front</servlet-name>
<servlet-class>data.DiningGuideManager_WebModule.hello</servlet-class>
</servlet>
<servlet>
<servlet-name>myPage</servlet-name>
<jsp-file>/myPage.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>front</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Security</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Me</role-name>
<role-name>EveryoneElse</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>Me</role-name>
</security-role>
<security-role>
<role-name>EveryoneElse</role-name>
</security-role>
<ejb-ref>
<ejb-ref-name>ejb/TestedEJB</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>data.DiningGuideManagerHome</home>
<remote>data.DiningGuideManager</remote>
<ejb-link>DiningGuideManager</ejb-link>
</ejb-ref>
</web-app>
for FORM authentication I have this:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
Thanks,
Michelle

Yes there's a default generated index.jsp page that I'm having trouble overriding with one of my own. Have you used Form Based Authentication before? To do so you have edit the WEB-INF/web.xml file by adding:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/test/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/test/secure/loginpage.jsp</form-login-page>
<form-error-page>/test/secure/errorpage.jsp</form-error-page>
</form-login-config>
</login-config>
When you attempt to first go to any page in my /test/secure/ directory you get redirected to the /test/secure/loginpage.jsp where you have to login as a tomcat user, when succesfully logged on you get redirected to an index.jsp page which is NOT the one I created in test/secure/index.jsp. Even when I type in the url to go to my own test/secure/index.jsp I still don't get my own one that exists there, but instead get the default one that's generated that displays:
"Authentication Mechanism FORM".
Hope that makes more sense.
I've tried restarting tomcat but it makes no difference.

Error in form based authentication

Hi all,
i want 2 implement form based authentication to a dummy resource in iis.
first i created authentication as
Challenge Method Form
Challenge Parameter passthrough: no
creds: usernamevar passwordvar
action: /access/oblix/apps/webgate/bin/webgate.dll
form: /public/login.html
SSL Required No
Challenge Redirect
Enabled Yes
and configured a policy domain for a dummy resource test.html with form authentication schema. i kept that in a folder 'access' which was placed in iis. i mentioned the action attribute to '/access/test.html' in login.html through which i want to do authentication.
but when i am accessing http://*...*/test.html
i am getting http 404 error.
can anyone help me.
Thank you

Hi,
thanks for ur response. i make some changes to my configuration which was given in previous post. now i configured as follows:
i kept my test.html and login.html in the iis root folder. and i defined my policy as follows:
Name : form (policy name)
Enabled : Yes
Resource Resource Type :http
URL Prefix : /test.html
Description
Authorization Rules Name ---- Form authorization
Description ---
Enabled --- Yes
Allow takes precedence ----Yes
Allow Access Role---- Any one
Default Rules
Authentication Rule
name of the authentication: policy form authentication
Authentication Scheme : Form authentication -----------------which was created in Access system console
Authorization Expression
Expression : Form authorization
Duplicate Actions: No policy defined for this Authorization Expression. The Access System level default policy for dealing with duplicate action headers will be employed.
Audit Rule
There is no Audit Rule defined.
Policy Name : form policy
Description :
Resource Type: http
Resource Operation(s) : POST
GET
Resource : all
Authentication Rule
policy auth. rule
Authentication Scheme Form authentication
Authorization Expression
There is no Authorization Expression defined.
Audit Rule
There is no Audit Rule defined.
Delegated Access Admins Delegate Rights
People Administrator
Grant Rights
There are no Delegated Access Admins with this right.
Basic Rights
There are no Delegated Access Admins with this right.
and i also created login.html with a method 'post' and pointed out the action to '/access/oblix/apps/webgate/bin/webgate.dll' . i placed it in IIS root folder.
now my auth. schema is as follows.
form: /login.html action:/access/oblix/apps/webgate/bin/webgate.dll passthrough: no creds: usernamevar passwordvar (which are names of fields in login.html)
and the plugin mapping is as follows:
credential_mapping:obMappingBase="cn=users,dc=orademo,dc=com", obMappingFilter="(&(&(objectclass=User)(sAMAccountName=%usernamevar%) )(|(!(obuseraccountcontrol=*))(obuseraccountcontrol=ACTIVATED)) )"
validate_password: obCredentialPassword="passwordvar"
so when i am accessing http://<hostname>/test.html
it is giving popup window like basic auth. schema. i am not getting my login page. and in that even i am logging as admin . it is saying unauthorized user.
please help me how to configure it.
Edited by: new2idm on Feb 17, 2010 9:19 PM
Edited by: new2idm on Feb 17, 2010 9:19 PM

Form Based Authentication Redirect URL

I'm using form based authentication in standalone OC4J 10.1.3.1. I have set the system property oc4j.formauth.redirect to true to force OC4J to redirect using 302 any successful authentication to j_security_check.
The problem is that the redirect URL loses any query parameters. Here's the raw HTTP being posted:
POST http://localhost:8988/manage/j_security_check HTTP/1.1
Host: mvakoc-pc.peoplesoft.com:8099
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://mvakoc-pc.peoplesoft.com:8099/manage/target?instanceName=denlcmlx1_entserver_1&targetType=entserver
Cookie: JSESSIONID=0a8b7ff6231c049914997fdb4ebb93b4854b0956862b; SignOnDefault=18438; e1AppState=
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
X-Forwarded-For: 10.139.127.246
j_username=username&j_password=password&url=%2Fmanage%2Fhome
However the response back drops off the query parameters:
HTTP/1.1 302 Moved Temporarily
Date: Fri, 05 Jan 2007 21:59:22 GMT
Server: Oracle Containers for J2EE
Content-Length: 231
Connection: Keep-Alive
Keep-Alive: timeout=15, max=100
Location: http://mvakoc-pc.peoplesoft.com:8099/manage/target
<HTML><HEAD><TITLE>Redirect to http://mvakoc-pc.peoplesoft.com:8099/manage/target</TITLE></HEAD><BODY>http://mvakoc-pc.peoplesoft.com:8099/manage/target</BODY></HTML>
Any workaround?

It does not appear to be quite the same issue. That bug indicates that everything works fine in a standalone OC4J environment. This would be true with the use case specified as the original URL (/em/console/ias) does not include any query parameters. In my case the original URL contains query parameters so the ultimate redirected URL should also contain those.

How to get username from Form-based login

I am using form-based login in my web.xml file.
When I attempt to access a protected .jsp page, I get sent to my login page as expected.
When I enter my username/password successfully it forwards me to the .jsp page I was trying to go to, as expected.
From that .jsp page, how do I get the username/password info from the login form? I looked at the session attributes, request attributes, and request parameters, but I don't see anything. Does the form-based authentication remove these variables?
I need the username that is filled out in the login form, so that I can do custom work with it. I cannot ask the user for it again after they login, as that is inefficient and sloppy.

Found it.
request.getUserPrincipal().getName()

How To Use HttpUnit With FORM-based Authentication?

I'm just getting started with HttpUnit, and I'm having a problem:
How does one use HttpUnit with FORM-based authentication?
I have a Web app where I specify a number of protected URLs. When a user tries to invoke one of them in a browser, Tomcat 4.1.30 brings up a login page that I specified and asks for a username and password. The values given by the user is checked against the tomcat-users.xml file. If the user is valid, Tomcat
forwards the response from the original request. If invalid, an error page is displayed. The user is considered valid until either the session times out or the browser is closed.
Does HttpUnit have to log into the app every time I run a test? How does it manage subsequent pages after login?

I don't think that's true. HttpUnit is 100% Java and based on JUnit. HttpUnit has nothing to do with Apache, AFAIK. HttpUnit is for unit testing servlets and JSPs. Apache is a Web server. It doesn't have a servlet/JSP engine, unless you bolt Tomcat on top of it.
Perhaps we're talking about two different packages. - %

Form based authentication HTTP 403 access forbidden in WL 8.1

Hi there..
I found following message posted in April-2004 by Sandeep very useful.
I also ended up getting the following HTTP 403 Forbidden access error while using Pageflow controller and Form based authentication.
I noticed 2 things. If you have a normal webapp A, which is a plain old webapp (which does not use pageflow..workshop etc..) then the following error does not occur.
It only happens with those webapps which utilizes WL 8.1's pageflow features. Note that I am not using nested page flows. I just used 1 pageflow controller and wanted to have the form based login feature for the same.
BEA's samples on form authentication talks about nested page flows and javax.security.auth.login.FailedLoginException and etc.. are they only applicable to nested pageflows?
can't I use the same to capture failed login exception within a single controller?
I tried out putting FailedLoginException exception-handler in Global.app file but it didn't catch it. Only the following work around worked. is this a bug in WL 8.1 workshop? or I am missing something.
I would appreciate if someone can clear this doubt.
I am using WL 8.1 with sp3.
Rajesh
Hey guys,
I could find the solution for my problem. Here it is
We need to add following lines of code in the erro.jsp page.
<form action"j_security_check>
....write the error mesage....
</form>
You will get rid of "403 Forbidden page" error.
Thanks,
Sandip
[email protected] (Sandip Atkole) wrote in message news:<[email protected]>...
I am trying to set up Form-Based Authentication on WebLogic 8.1
The Problem:
If the user provides correct userid/password, he gets access to the
protected resource as required, but if he provides incorrect
userid/password, he gets a 403 Forbidden page, instead of getting the
login failure page.
The Descriptors:
WEB.XML
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
Why doesn't it redirect to "/LoginError.jsp" instead of showing the
403 Forbidden page?
Thanks in advance
Sandip

It seems like a bug. However when I explicitly reset the error using set status it worked for me. I added following code in my error jsp .
<%
     response.setHeader("conent-type","text/html");
     response.setStatus(200);
%>

Get j_username in form based authentication

Similar Messages

Maybe you are looking for