Help : Form based authentication - Forbidden 403

Hi,
I have create a web app that requires form based authentication when
accessing certain pages.
Thus, I've created the entry in the web.xml accordiingly and tested on
Tomcat to be working fine.
When I redeployed the web app to weblogic, the normal access of pages
works fine.
But when I try to access the restricted pages, the browser show the
error.
"Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
I'm puzzled by the fact that it didn't even prompt me to the login
page.
How can I fix the problem?
Or, which are the documents I should read?
I have gone through the weblogic documentation briefly, but either it
mention security management as a whole or just the security-constraint
in the web app dd.
I'm new to weblogic, so, it's likely that I missed something very
basic and appreciate anyone to point that out to me.
Thanks for any advice.
Cheers.
Han Ming

It seems like a bug. However when I explicitly reset the error using set status it worked for me. I added following code in my error jsp .
<%     
     response.setHeader("conent-type","text/html");
     response.setStatus(200);
%>

Similar Messages

  • Form based authentication HTTP 403 access forbidden in WL 8.1

    Hi there..
    I found following message posted in April-2004 by Sandeep very useful.
    I also ended up getting the following HTTP 403 Forbidden access error while using Pageflow controller and Form based authentication.
    I noticed 2 things. If you have a normal webapp A, which is a plain old webapp (which does not use pageflow..workshop etc..) then the following error does not occur.
    It only happens with those webapps which utilizes WL 8.1's pageflow features. Note that I am not using nested page flows. I just used 1 pageflow controller and wanted to have the form based login feature for the same.
    BEA's samples on form authentication talks about nested page flows and javax.security.auth.login.FailedLoginException and etc.. are they only applicable to nested pageflows?
    can't I use the same to capture failed login exception within a single controller?
    I tried out putting FailedLoginException exception-handler in Global.app file but it didn't catch it. Only the following work around worked. is this a bug in WL 8.1 workshop? or I am missing something.
    I would appreciate if someone can clear this doubt.
    I am using WL 8.1 with sp3.
    Rajesh
    Hey guys,
    I could find the solution for my problem. Here it is
    We need to add following lines of code in the erro.jsp page.
    <form action"j_security_check>
    ....write the error mesage....
    </form>
    You will get rid of "403 Forbidden page" error.
    Thanks,
    Sandip
    [email protected] (Sandip Atkole) wrote in message news:<[email protected]>...
    I am trying to set up Form-Based Authentication on WebLogic 8.1
    The Problem:
    If the user provides correct userid/password, he gets access to the
    protected resource as required, but if he provides incorrect
    userid/password, he gets a 403 Forbidden page, instead of getting the
    login failure page.
    The Descriptors:
    WEB.XML
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/Login.jsp</form-login-page>
    <form-error-page>/LoginError.jsp</form-error-page>
    </form-login-config>
    </login-config>
    Why doesn't it redirect to "/LoginError.jsp" instead of showing the
    403 Forbidden page?
    Thanks in advance
    Sandip

    It seems like a bug. However when I explicitly reset the error using set status it worked for me. I added following code in my error jsp .
    <%     
         response.setHeader("conent-type","text/html");
         response.setStatus(200);
    %>

  • Help: Form Based Authentication Failed

              Can someone from bea help me with this? We're using servlet's j_security_check to authenticate the user and from time to time, this message
              "Form based authentication failed. One of the following reasons could cause it:
              HTTP sessions are disabled.
              An old session ID was stored in the browser"
              pops out. How can we prevent this from happening?
              thanks in advanced...
              Jerson
              

    Please see the recent thread in the Security section dealing with the same
              message. (Search on "Form based authentication failed".) There appears to
              be at least one bug in WL that causes this, although I wouldn't rule out a
              config issue.
              At any rate, the error message printed out to the console (and log) is
              stupid. Chances are your problem has nothing to do with either an old
              session ID or sessions being disabled, both of which WebLogic should be able
              to tell you for sure if they were indeed the problem.
              Peace,
              Cameron Purdy
              Tangosol, Inc.
              http://www.tangosol.com
              +1.617.623.5782
              WebLogic Consulting Available
              "Jerson Chua" <[email protected]> wrote in message
              news:3a30499c$[email protected]..
              >
              > Can someone from bea help me with this? We're using servlet's
              j_security_check to authenticate the user and from time to time, this
              message
              > "Form based authentication failed. One of the following reasons could
              cause it:
              > HTTP sessions are disabled.
              > An old session ID was stored in the browser"
              > pops out. How can we prevent this from happening?
              >
              > thanks in advanced...
              > Jerson
              >
              

  • Help is needed on form-based authentication

    Hi,
    form-based authentication is set up to protect OID/SSO resource. Oracle Portal is registered with OID. A reverse proxy server is in DMZ as front-end to Portal. At the new login page, after typing username/password, hit Login button, get original OID/SSO login page, typing username/password can get to Portal landing page.
    The problem is that OID/SSO login page shows up after OID/SSO resource is protected by form-based authentication, it appears form-based authentication doesn't work properly with OID/SSO. At the new login page, if typing a wrong password, the page is flashed, and doesn't go to OID/SSO login page, so it seems user authentication with OAM can work.
    The form-based authentication works fine to pretect a non-OSSO page and if using Basic Over LDAP scheme to protect the OID/SSO resource, the login also works fine.
    Please help, thanks

    It looks like the header variable (XXX_REMOTE_USER or whatever you're using) is not getting passed, so that the SSO login page appears. Given that the Basic over LDAP scheme works (I'm assuming that you simply switch schemes in the OAM Policy Domain to verify this?) the only thing I can think of is that you are setting the header variable in the authentication actions only. If this is the case, please try adding the header variable also to the Authorisation Success actions in the Policy Domain that protects /sso/auth/ and see if that makes a difference.
    Regards,
    Colin

  • Configuring tomcat for form based authentication-help badly needed

    hi , i want to have form based or some other way of authentication for the users comming to my site , i have access only to web.xml , but in tomcat documentations its giveni need to change server.xml and tomcat-user.xml , can i make these changes on web.xml to implement it or please tell me way out of this please , i tried even jguard but it needs changes in jvm which also not into my access

    Hi,
    I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file.

  • Ask for help with form based authentication & authorization

    Hi:
    I encountered the following problem when I tried the form based authentication & authorization (see the attached part of the config files, web.xml, weblogic.xml & weblogic.properties)
    1. authorization seems not invoked against the rules specfied, it doesn't go the login error page as long as the user/pwd match, even though the user does not have the necessary role
    in the example below, user3 should be denied to access the signin page, but seems no login error page returned, actually I never see any page / error message which complain about the authorization / access control error
    2. after authenticate correctly, always get redirected to the / (context root) url, instead of the url prior the login page, for e.g., signin page
    Any idea ?
    Thanks in advance.
    HaiMing
    attach config files
    web.xml
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>MySecureBit1</web-resource-name>
    <description>no description</description>
    <url-pattern>/control/signin</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>default</realm-name>
    <form-login-config>
    <form-login-page>/control/formbasedlogin</form-login-page>
    <form-error-page>/control/formbasedloginerror</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <description>the customer role</description>
    <role-name>customer</role-name>
    </security-role>
    weblogic.xml
    <security-role-assignment>
    <role-name>
    customer
    </role-name>
    <principal-name>
    customer_group
    </security-role-assignment>
    weblogic.properties
    weblogic.password.user1=user1pass
    weblogic.password.user2=user2pass
    weblogic.password.user3=user3pass
    weblogic.security.group.customer_group=user1,user2

    Hi, Paul:
    Thanks a lot for your reply.
    Firstly let me just correct a little in the attachment I put previously, I think I missed following lines :
    <auth-constraint>
    <description>no description</description>
    <role-name>customer</role-name>
    </auth-constraint>
    So, user1 & user2 are in the customer group, but user3 not, and /control/singin is protected by this security constraint, as a result, when anyone click the link to /control/singin, he was led to the login page, if he tries to login as user1 & user2, he should pass & led to original page (in this case /control/singin, and my code's logic, once /control/signin is used, means that he already login successfully & redirected to the login success page), but if he tries to login as user3, he should only pass the authentication check, but fail the authorization check, and led to login error page.
    What not happen are :
    1. user1 & user2 pass, but redirect to /
    2. user3 also pass, because I see that debug message shows also get redirected to /, instead of login error page
    (login error page will be displayed, only if I try to login as a user with either wrong userid, or wrong password)
    3. one more thing I notice after I first time post the message, the container does not remember the principal, after 1. is done, not even for a while
    And the similar configuration works under Tomcat 3.2.1, for all 3. mentioned above.
    Any idea ?
    HaiMing
    "Paul Patrick" <[email protected]> wrote:
    If I understand what your trying to do, everyone should get access to the
    login page since roles are not
    associated with principals until after they authenticate. If I follow what
    you specified in the XML files,
    authenticated users user1 and user2 are members of a group called
    customer_group.
    The principal customer_group (and therefore its members) is mapped in the
    weblogic.xml file to the role
    customer.
    I can't speak to the reason your being redirected to the document root.
    Paul Patrick
    "HaiMing" <[email protected]> wrote in message
    news:[email protected]...
    Hi:
    I encountered the following problem when I tried the form basedauthentication & authorization (see the attached part of the config files,
    web.xml, weblogic.xml & weblogic.properties)
    1. authorization seems not invoked against the rules specfied, itdoesn't go the login error page as long as the user/pwd match, even though
    the user does not have the necessary role
    in the example below, user3 should be denied to access the signinpage, but seems no login error page returned, actually I never see any page
    / error message which complain about the authorization / access control
    error
    2. after authenticate correctly, always get redirected to the / (contextroot) url, instead of the url prior the login page, for e.g., signin page
    Any idea ?
    Thanks in advance.
    HaiMing
    attach config files
    web.xml
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>MySecureBit1</web-resource-name>
    <description>no description</description>
    <url-pattern>/control/signin</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>default</realm-name>
    <form-login-config>
    <form-login-page>/control/formbasedlogin</form-login-page>
    <form-error-page>/control/formbasedloginerror</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <description>the customer role</description>
    <role-name>customer</role-name>
    </security-role>
    weblogic.xml
    <security-role-assignment>
    <role-name>
    customer
    </role-name>
    <principal-name>
    customer_group
    </security-role-assignment>
    weblogic.properties
    weblogic.password.user1=user1pass
    weblogic.password.user2=user2pass
    weblogic.password.user3=user3pass
    weblogic.security.group.customer_group=user1,user2

  • Form based authentication problem....help!!!!

    hey guys, <br>
    i'm trying to use form based authentication method to secure my web pages.
    This is the sample structure of the login page :
    <form action="j_security_check" method="post">
    <FONT SIZE="3" FACE="VERDANA">Company ��� </FONT>
    <INPUT TYPE=TEXT NAME="Company" SIZE="20">
    <BR><BR><BR>
    <FONT SIZE="3" FACE="VERDANA">UserName ��</FONT>
    <INPUT TYPE=TEXT NAME="j_username" SIZE="20">
    <BR><BR><BR>
    <FONT SIZE="3" FACE="VERDANA">Password �� </FONT>
    <INPUT TYPE=PASSWORD NAME="j_password" SIZE="20">
    <BR>
    <FONT SIZE="3" FACE="VERDANA">
    <INPUT TYPE=SUBMIT VALUE="Log In"> </FONT>
    </form>
    This is what the "loginerror.jsp" page looks like :
    <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
    <html>
    <head>
    <title>
    Login Error
    </title>
    </head>
    <body>
    <c:url var="url" value="http://localhost:8080/sbs/sbs"/>
    <h2>Invalid user name or password.<h2>
    <p>Please enter a username or password that is authorized to access this application. Click here to try again</h2>
    </body>
    </html>
    This is what the sample response.jsp page looks like. This page should be displayed once the user logs in with correct username & password :
    <html>
    <head>
    <title>ResponsePage</title>
    </head>
    <body>
    <center>
    <h2>
    Testing response Page
    </h2>
    </center>
    </body>
    </html>
    Please note: I'm using j2ee1.4 sdk and DEPLOY TOOL to set all the security requirements. I think i did almost everything right but i don't understand the error that is being displayed. I t looks something like this :
    HTTP Status 400 - Invalid direct reference to form login page
    type Status report
    message Invalid direct reference to form login page
    description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
    Sun-Java-System/Application-Server

    hey guys, <br>
    i'm trying to use form based authentication method to secure my web pages.
    This is the sample structure of the login page :
    <form action="j_security_check" method="post">
    <FONT SIZE="3" FACE="VERDANA">Company ��� </FONT>
    <INPUT TYPE=TEXT NAME="Company" SIZE="20">
    <BR><BR><BR>
    <FONT SIZE="3" FACE="VERDANA">UserName ��</FONT>
    <INPUT TYPE=TEXT NAME="j_username" SIZE="20">
    <BR><BR><BR>
    <FONT SIZE="3" FACE="VERDANA">Password �� </FONT>
    <INPUT TYPE=PASSWORD NAME="j_password" SIZE="20">
    <BR>
    <FONT SIZE="3" FACE="VERDANA">
    <INPUT TYPE=SUBMIT VALUE="Log In"> </FONT>
    </form>
    This is what the "loginerror.jsp" page looks like :
    <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
    <html>
    <head>
    <title>
    Login Error
    </title>
    </head>
    <body>
    <c:url var="url" value="http://localhost:8080/sbs/sbs"/>
    <h2>Invalid user name or password.<h2>
    <p>Please enter a username or password that is authorized to access this application. Click here to try again</h2>
    </body>
    </html>
    This is what the sample response.jsp page looks like. This page should be displayed once the user logs in with correct username & password :
    <html>
    <head>
    <title>ResponsePage</title>
    </head>
    <body>
    <center>
    <h2>
    Testing response Page
    </h2>
    </center>
    </body>
    </html>
    Please note: I'm using j2ee1.4 sdk and DEPLOY TOOL to set all the security requirements. I think i did almost everything right but i don't understand the error that is being displayed. I t looks something like this :
    HTTP Status 400 - Invalid direct reference to form login page
    type Status report
    message Invalid direct reference to form login page
    description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
    Sun-Java-System/Application-Server

  • Form based Authentication Help needed.

    I am using form based authentication to validate a user logging into the website.
    In the web.xml I am using code similar to the following:
    <!-- LOGIN AUTHENTICATION -->
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>default</realm-name>
    <form-login-config>
    <form-login-page>login.jsp</form-login-page>
    <form-error-page>error.jsp</form-error-page>
    </form-login-config>
    </login-config>
    When session times out, and user clicks on any link on the webpage, the user is sent to the main login page, with a new session. I need to display a message on this page stating that the session timed out due to inactivity. How can I go about doing this? Is it possible to send user to a different page with this message? Thanks in advance.

    More details of this can be found in this link:
    http://java.sun.com/webservices/docs/1.2/tutorial/doc/Security5.html

  • Creating Form Based Authentication

    Hi,
    When i am creating Form Based Authentication then i am giving in the action field of the login and the scheme as "webgate.dll" but when i am using it then i am getting 403 error for any user.
    Can anybody help me

    There is a metalink note on how to configure form based auth. Pretty straightforward.
    COREid 7.0.4: SettingUp Authentication Scheme in a NutShell
         Doc ID:      Note:401944.1

  • Forms Based Authentication in Project Server 2013

    Hi,
    I have created a PWA web app with SQL Forms Based Authentication. I am able to login and able to see the Project Center page.
    But the Project Center Web Part is not getting displayed. Also facing the same issue while
    Enterprise Custom Fields and Look up page,
    the page is blank
    When user tries to edit user in Manage Users page under Security, that page is also blank
    Projects ribbon doesn't show up
    User not able to create projects
    Kindly provide some pointers for the same.
    Thanks & regards,
    Divyang Agrawal

    Hi Kirtesh,
    Thanks for the response.
    The issue here is not related to hardware, but it is regarding the user not having appropriate rights to do the above mentioned operations.
    Are there few more steps that are required for the FBA, where a user needs to be given access rights explicitly.
    The users I have used for now have been added to administrator's group and have full rights on the system.
    Also, when I try to create a Project in the instance using the CSOM code and passing the user's credentials who is a part of Administrator Group., it gives me a 403 forbidden exception.
    Kindly provide some inputs for the same.
    Regards,
    Divyang Agrawal

  • Behavior in form-based authentication

    Environment
    - WebLogic5.1 with SP8
    - WinNT 4.0 with SP5
    - JDK1.2.2
    When an authenticated user tries to access a resource that the user is not
    authorized to access, he/she
    is automatically forwarded to login page and WebLogic loses the
    authentication information of that user.
    Then the user has to re-login to access resources that he/she has
    permissions and previously accessed.
    My question is:
    1. Is there any way to redirect the user who attempts to access unauthorized
    resources to an error page, not the login page,
    so that the user doesn't have to re-login to access authorized resources?
    2. if a user tries to access an unauthrized resource, shouldn't I be
    getting a 403 {sc_Forbidden} error back?
    Is that correct? If so, I don't see why the following setting wouldn't work.
    <error-page>
    <error-code>403</error-code>
    <location>/errorpages/error.jsp?errorcode=403</location>
    </error-page>
    <error-page>
    <error-code>401</error-code>
    <location>/errorpages/error.jsp?errorcode=401</location>
    </error-page>
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/errorpages/error.jsp?errorcode=999</form-error-page>
    </form-login-config>
    </login-config>
    Thanks in advance for any help or comment.
    Sang

    Tom,
    Thanks for you comment. I appreciate it.
    I've tried what you suggested but there is still a problem.
    When a user is forwarded to the page specified as a login page in the xml,
    the identity of the user is already lost in the container.
    If you print the current user in the login.jsp by calling
    "Request.getRemoteUser()", you'll get a NULL.
    Although you go back to the JSP page you have already accessed, you have to
    go through the authentication over again.
    Is this correct authentication behavior?
    The following is an abstract of form-based authentication processes from
    Servlet v2.2 spec.
    ============================================================================
    When a user attempts to access a protected web resource, the container
    checks if the user has been
    authenticated. If so, and dependent on the user's authority to access the
    resource, the requested web
    resource is activated and returned. If the user is not authenticated, all of
    the following steps occur:
    1. The login form associated with the security constraint is returned to the
    client. The URL path
    which triggered the authentication is stored by the container.
    2. The client fills out the form, including the username and password
    fields.
    3. The form is posted back to the server.
    4. The container processes the form to authenticate the user. If
    authentication fails, the error page is
    returned.
    5. The authenticated principal is checked to see if it is in an authorized
    role for accessing the origi-nal
    web request.
    6. The client is redirected to the original resource using the original
    stored URL path.
    If the user is not successfully authenticated, the error page is returned to
    the client. It is
    recommended that the error page contains information that allows the user to
    determine that the
    authorization failed.
    ============================================================================
    Although the procedures of form based authentication is well-specified,
    behavior of authorization is quite unclear.
    It doesn't specify what should be done and what happens to the state of the
    current identity in case of authorization failure.
    Is there any workaround solution for this problem?
    Thanks again.
    Sang
    Tom Mitchell <[email protected]> wrote in message
    news:[email protected]...
    Sang,
    The behavior you are seeing seems to be correct. You are logged in andtry to
    hit a resource that you do not have access to. So, as far as thecontainer
    knows, it is supposed to give you a chance to reauthenticate as someonewho can
    access the new resource.
    If you have rights to both resources, you will not get prompted again.
    If I understand your desired behavior, you could have login to take place
    "manually" - meaning you will have an explicit login button or link.
    Then could have your login page, defined in the xml, actually be an errorpage
    that would not affect the current identity.
    Hope this helps.
    Tom Mitchell
    [email protected]
    Very Current Stoneham, MA Weather
    http://www.tom.org
    "Sang Y. Sung" wrote:
    Environment
    - WebLogic5.1 with SP8
    - WinNT 4.0 with SP5
    - JDK1.2.2
    When an authenticated user tries to access a resource that the user is
    not
    authorized to access, he/she
    is automatically forwarded to login page and WebLogic loses the
    authentication information of that user.
    Then the user has to re-login to access resources that he/she has
    permissions and previously accessed.
    My question is:
    1. Is there any way to redirect the user who attempts to accessunauthorized
    resources to an error page, not the login page,
    so that the user doesn't have to re-login to access authorizedresources?
    >>
    2. if a user tries to access an unauthrized resource, shouldn't I be
    getting a 403 {sc_Forbidden} error back?
    Is that correct? If so, I don't see why the following setting wouldn'twork.
    >>
    <error-page>
    <error-code>403</error-code>
    <location>/errorpages/error.jsp?errorcode=403</location>
    </error-page>
    <error-page>
    <error-code>401</error-code>
    <location>/errorpages/error.jsp?errorcode=401</location>
    </error-page>
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/errorpages/error.jsp?errorcode=999</form-error-page>
    </form-login-config>
    </login-config>
    Thanks in advance for any help or comment.
    Sang

  • Issue with form based Authentication in three tier sharepoint 2013 environment.

    Hi,
    We are facing issue with form based Authentication in three tier environment.
    We are able to add users to the database and in SharePoint.
    But we are not able to login with created users.
    In single tier everything working fine
    Please help , Its urgent ... Thanks in advance.
    Regards,
    Hari
    Regards, Hari

    if the environments match, then it sounds like a kerberos double-hop issue
    Scott Brickey
    MCTS, MCPD, MCITP
    www.sbrickey.com
    Strategic Data Systems - for all your SharePoint needs

  • Error re-logging in after session timeout using form-based authentication

    Hello,
    We have a web app configured for form-based authentication. When the session times out, we're redirected to our login page as expected. However, after re-logging in, we are not redirected to the desired page (e.g., /faces/OurMainPage.jspx) but to /afr/page_lev_idle.gif.
    Do we have to do anything special for session timeouts?
    Thanks,
    Rico

    Some extra information that might help:
    After re-logging in and we're in /afr/page_lev_idle.gif, we hit the browser Back button (showing the login page again) and then hit the browser Refresh/Reload button and voila we're at the page we expect to be.
    Rico

  • Logout Functionality in Form Based Authentication Not Working Properly

    Hi All,
    I am using Form Based Authentication in ADF. In this I followed the following steps:-
    1.Login On Page.
    2.In successful login page ,copy the url
    3.Click on "Logout"
    4.Paste the url in login page and click enter
    5.System taking me back to that page where I can perform all the actions.
    But the Login operation should not happen just by entering the url. Please provide any help how to stop redirecting to my authenticated page just by typing the url. This is a big security constraint.Any Assistance to this is highly appreciated.
    Thanks & Regards
    Lovenish Garg

    Hi BaiG,
    For Login I am using the form based authentication and for logout here is my code:-
    public void logout() {
    ExternalContext ectx =
    FacesContext.getCurrentInstance().getExternalContext();
    HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
    HttpSession session = (HttpSession)ectx.getSession(false);
    session.invalidate();
    response.setHeader("Cache-Control", "no-cache");
    response.setHeader("expires", "0");
    response.setHeader("Pragma", "no-cache");
    try {
    response.sendRedirect("AdminLogin.html");
    } catch (IOException e) {
    logger.severe(e.getMessage());
    //Inform JSF to not take the response in hands
    FacesContext.getCurrentInstance().responseComplete();
    logger.info("session invalidated");
    Thanks,
    Lovenish Garg

  • J_security_check in form-based authentication - not checking for blank passwords

    I am using the LDAP Security Realm to authenticate against an iPlanet
    Directory Server. All works as expected when a user-id and password
    are entered for form-based authentication.
    However, when a userid is entered but no password, j_security_check
    logs the user in successfully. Aparently, this is correct LDAP
    behaviour as anonymous login to the LDAP server is permitted. It seems
    that the j_security_check servlet should check for blank passwords
    before trying to authenticate against the LDAP server and fail
    authentication if this is the case.
    Has anyone else experienced this problem?

    Hi Brian,
    I do not believe it is j_security_check's job to check for blank
    passwords.
    In many security realms, it is "legal" for a user to have a blank
    password. j_security_check forwards whatever password was entered so that
    even users with blank passwords can be authenticated by the realm on the
    backend. For this reason I believe that j_security_check is "doing the
    right thing" by just forwarding whatever is presented to it, rather than
    having its own logic. It is best if j_security_check just acts as a very
    dumb middle man.
    If behavior was altered, it is true that your particular problem would be
    solved, but then many other people would have a problem with their users
    with blank passwords authenticating properly...
    Try looking into how to disable anonymous logins on the LDAP end of
    things. Hope this helps.
    Cheers,
    Joe Jerry
    brian wrote:
    I am using the LDAP Security Realm to authenticate against an iPlanet
    Directory Server. All works as expected when a user-id and password
    are entered for form-based authentication.
    However, when a userid is entered but no password, j_security_check
    logs the user in successfully. Aparently, this is correct LDAP
    behaviour as anonymous login to the LDAP server is permitted. It seems
    that the j_security_check servlet should check for blank passwords
    before trying to authenticate against the LDAP server and fail
    authentication if this is the case.
    Has anyone else experienced this problem?

Maybe you are looking for

  • Need help in parsing a VARCHAR2(4000 BYTES) field

    Hi Guys, Let me give the DB information first: SQL> select * from v$version; BANNER Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi PL/SQL Release 10.2.0.4.0 - Production CORE 10.2.0.4.0 Production TNS for Solaris: Version 10.2.0.4.0

  • JRC change data source of xml based report

    Hello I have a crystal report with an xml data source. I stored the report without data. When I open the report using JRC and try to set a new data source an exception is thrown. - JRCAgent1 received request: setDataSourceRequest - An error occurs, t

  • Installed Specctr, but not showing in PS CC Extensions

    I've purchased Specctr and have followed instructions for installations. I've installed in Extension Manager. See below: But when I go to Window > Extensions, it does not show the Specctr tool there. Do you know why this is?

  • About to purchase an imac

    I may go ahead and get an imac this week and add Leopard later. Here is my main question: I understand that if I install Windows XP, I need Service Pack 2. My Windows XP cd doesn't come with Service Pack 2 and I'm wondering how to proceed without it.

  • Closed Captions in Captivate 7

    I am a "power user" of Captivate, and have just migrated from version 6 to version 7. A vast improvement by the way. So far, it appears that I can only write closed captions one slide at a time. But there are various solutions in other "cloud" softwa