IP based security with JSP?

Similar Messages

• Document security with JSP

  Hi,
  I was wondering if anyone could help or give me some ideas for this problem I have.
  The web site that I'm developing uses jsp. It has a public section and a private section that requires a username and password to log in to it. Users have the ability to upload reports to the site, which can be of various formats, including HTML (Preferably), PDF, Word, and Excel. They can also mark these reports as private, so that only people that are logged in can view them, although at the moment this just doesn't show the link on the public pages.
  The problem is that people can access the reports directly using the URL without logging in (admitedly they would have to know the URL first), but they could enter, for example,
  http://www.my-domain.com/reports/myreport.doc
  This means there's nothing to stop them accessing these private documents.
  Is there a way of placing the reports outside the browsable tomcat tree and then use the JSP to display it, or the other option I can think of is to use windows security on the folder, but I wouldn't know how to let the JSP access it without opening it up to anonymous users.
  Does anyone have any ideas?
  If you have any questions just reply to this post and I'll get back to you.
  Thanks,
  Dave.

  You need to take a look at reamls:
  http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
  In short, you define your realm, which is used to authentify your users.
  Then, you set constraints in your web.xml file (it can be as specific as a file, or as generic as a whole folder).
  If someone type a url towards a protected file, they will automagically be redirected towards a login page.
  Hope this helps!
  Don't hesitate to ask if you have more questions.
  Patrick

• SAP IDM position based security with user in multiple positions

  Hi,
  In case of Higher Duties, we have a scenario where a user can have multiple positions with access to the business roles of both the positions.
  The design is to have one business role assigned to one position so that the user can have all the access he requires.
  In case of higher duties, we see an exception.
  Has anyone implemented such a scenario?
  Inputs/advices are much valued.
  Thanks
  Chaitanya

  Hi Chaitanya,
  Is it possible to assign more than one position to an employee in HCM?
  If so, there is many ways of dealing with that from IDM side, I don't know precisely your business requirement, what you need to maintain and what should be dynamic, but i can suggest you to :
  1. Translate every position you receive from HR to a Business role and assign as many Business roles you want to the same user.
  From HCM you will receive :
  Employee :
  - Z_POSITION_ID1 :1
  - Z_POSITION_ID2 : 2
  In IDM
  Employee
  - Member of BR1
  - Member of BR2
  2. If you have a lot of attributes related to HR position on user (link user-position) to maintain , then create a custom Object in IDM (entrytype Z_POSITION).
  You wil be able to manage relations much easier than a simple relation (One-to-one attribute)
  Otherwise, It worth to look over this blog for general design of HCM integration :
  How to optimize identities’ lifecycle management in your information system using SAP HR events?
  Fadoua

• Using Position Based Security with BI

  Hi
  Has anyone been involved in an implementation where you can assign BI roles to Positions (organisational structure maintained in R/3).  If so, what configuration is involved?

  Hi,
  After replying I realised that this may not be answering your question exactly, but it is the approach that I would adopt.
  Not sure if it feasible for your landscape but I would use a CUA for this approach - in long run I find it to be a good approach especially if you are adding more SAP appllications to your landscape.
  Firstly, set-up ALE for the org structure from R/3 to your CUA client.
  I would then create composite roles in the CUA client, which include roles for both R/3 and BI. These would then be assigned to the positions in the HR Org structure.
  To create the composite roles, read roles into your CUA client via RFC - note that this is not the text comparison for CUA, but reading roles from other systems via RFC through PFCG. Once you read the roles in you will notice that the RFC destination is maintained in the menu tab of roles that have been imported. Then when you create the composite roles containing R/3 and BI roles you will see that the target system is maintained. If you use the variable mentioned below, it achieves the same thing but makes future maintenance easier.
  Creating the composite roles does mean additional maintenance upfront, but before you begin I would make use of the table SSM_RFC. Through this you could assign a variable to a RFC destination, you can use the same variable name in DEV, QA & PRD but have different RFC destinations allocated. This means that you can transport roles from the DEV CUA to PRD CUA without having to maintain the roles.
  In CUA you would need to set the role distribution properties to global in transaction SCUM.
  When you assign a composite role to either a user in CUA you will notice that it will complete all the system assignments as defined in your composite role. If you allocate to a position, then it would do the same thing provided the the IT105 is maintained for the employee and position assignment is valid - once you run the user compare it will update the user master and distribute.
  I hope that provides you will some ideas.....
  Regards
  Edited by: S Morar on Apr 10, 2008 1:23 PM

• JHeadStart Security problem-error page cannot be found- role based security

  JHeadStart Security problem-error page cannot be found- role based security
  Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
  Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

  Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
  To remind you my steps I paste the following again:
  JHeadStart Security problem-error page cannot be found- role based security
  Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
  Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

• Transport  of code based security

  Hello,
  we have WAS 6.40 and we have a lot of differents views in the key storage services, and also a lot of entries in everyone. We granted the domains to every different view and entry, so we have a lot of rules of code based security with differents domains-views-entries.
  The problem is that we want to transport that configuration of code security of the WAS 6.40 from our development enviroment to production enviroment and we don't want to recreate by hand all the code based security, because is a lot of work. Anybody knows how to transport the assigned code domains of every view to the production system? When we save the view, the code domains isn't saved in the file.
  Thanks a lot,
  Daniel Sutil

  Yes, your main security is based on Enterprise groups. This way if something changes on SAP end, group disapears etc.. Your BO security is intact.
  As sub members of Enterprise group SAP group/role will inherit all the parent security.
  On deleting the groups, I think you have to unmap them from SAP page in Authentication.....  Haven't played with that part much, sorry.

• What is the mean of using Portal with Role Based security as entry point

  Hi Experts we have requirement of integration of Portal and MDM
  I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
  1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
  2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from  SAP 4.6c
  Please give me the clarity of what is the meanin of second point
  Regards
  Vijay

  Hi
  It requires the entire land scape like EP server and MDM server both should be configured in SLD.
  Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
  Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
  Please go through this link
  http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
  You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
  The estimation involves as per your requirement clearly
  Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
  Regards
  Kalyan

• Authentification and Security in WebApp with JSP

  Hello to all.
  I'm developing a Web Applications with JSP's. To use the application a user must first Login.
  To restrict access via URL typing I have included in every JSP page a user_logged_in_check page that verifies that the user is logged in, and if not redirects to the Login page.
  The problem is that I must not forget to include that page in all my JSPs, and if the name of the page changes, it must be changed everywhere (though a search/replace might do the job just fine).
  I used this approach because is not server dependent (such as the Tomcat Realms example I have seen on this forum).
  Is there a better strategy?
  Is there a way to enforce security check and not rely on my attention ;)?
  Is there a pattern that solves the problem?
  Any help would be greatly appreciated.

  The first and biggest disadvantage is the repetitive coding - what happens if you realise that you need to change something - you will need to modify each of your JSP files. The chances of someone forgetting to add it in are a security risk.
  Secondly, using the web server's mechanism, in most cases, would mean that you are using a proven and much more stable security mechanism then you can whip up.
  For example, in Weblogic, you can configure a JAAS provider -- that means you are not limited to using uname/password. Your customer may have an enterprise wide single sign on policy that is supported by the JAAS provider and you can use it straight away - by just making a declarative change in the web*.xml files.
  If you must, use the Filter class (its a Servlet class, I checked after I had posted) as described in the Intercepting Filter pattern - at least thats a standard approach and will cut down on you having to rely on adding a snip of code to each of your JSPs.

• Reseeding cache for users with role based security

  I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

  I have created an ibot with the following:
  General - Normal Priority, Personalized (recipient's data visibility)
  Conditional Request - example_report
  Schedule - some schedule
  Recipients - Me(administrator) and User1
  Destinations - Oracle BI Server cache
  when the ibot runs 2 cache entries are created (for the 2 recipients).
  I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
  After the ibot runs:
  When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
  On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
  The User1 has a data level security.
  Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
  Thanks for your inputs.

• Prblem with testing container-based security apps with JSC/AppServer 8...

  not sure whether this is a JSC or an AppServer issue, correct me if neccessary...
  I'm using container based security to dicate logic based upon user names & roles for my test JSC app. The problem is that when I run the app by autodeploying it to my Sun AppServer 8 instance (same machine, WinXP Pro) the security settings eems to be cached. That is, if I change the security roles or permissions in the container by editing the web.xml file the changes aren't reflected in the app upon redeployment. I have to copy it to a new directory and deploy as a new app to see any security change. It seems that the old usernames and roles are cached -even if I manually restart the app server. Is this a JSC or an ApPServer issue? Am I missing something? Is there an easier way for me reset security data when testing an application? Thanx in advance...
  -J

  while your solution may technically work, it is unusable to me because I can't successfully deploy a war file using JSC after I've manually added container-based descriptors to the web.xml file. In order for me even to be able to deploy the app I need to modify web.xml and sun-web.xml by hand in the build directory

• Does auto provisioning work with position based security

  We are implementing GRC 5.3 and use position based security.  I am able to run risk analysis for position based security but now we want to use CUP and push our roles to the positions.  And finally we want to associate the user to the position.  We want to do all of this through GRC.  Is this possible?
  Thanks!

  Peggy,
     For this to work, click on the tab (on top) which says by system. Here you can set up autoprovisioning by system. If you have 5.2, I don't know if this is available or not but it is available in 5.3.
  Regards,
  Alpesh

• Using container managed form-based security in JSF

  h1. Using container managed, form-based security in a JSF web app.
  A Practical Solution
  h2. {color:#993300}*But first, some background on the problem*{color}
  The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
  In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
  h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
  What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
  - Username
  - Group
  - Password
  The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
  1. Start up your app server and log into the admin interface (http://localhost:4848)
  2. Drill down into Configuration > Security > Realms.
  3. Here you will see the default realms defined on the server. Drill down into the file realm.
  4. There is no need to change any of the default settings. Click the Manage Users button.
  5. Create a new user by entering username/password.
  Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
  I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
  That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
  TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
  h2. {color:#993300}*Step 2: Create the project*{color}
  Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
  1. Start by creating a new Visual Web JSF project.
  2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
  h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
  In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
  1. login.jsp (A Visual Web JSF file)
  2. loginproxy.jspx (A plain JSPX file)
  3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
  Code follows for each of the files:
  h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
      <navigation-rule>
  <from-view-id>/login.jsp</from-view-id>
          <navigation-case>
  <from-outcome>loginproxy</from-outcome>
  <to-view-id>/loginproxy.jspx</to-view-id>
          </navigation-case>
      </navigation-rule>
  NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
  h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root version="2.1"
  xmlns:f="http://java.sun.com/jsf/core"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:jsp="http://java.sun.com/JSP/Page"
  xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
      <jsp:directive.page
  contentType="text/html;charset=UTF-8"
  pageEncoding="UTF-8"/>
      <f:view>
          <webuijsf:page
  id="page1">
  <webuijsf:html id="html1">
  <webuijsf:head id="head1">
  <webuijsf:link id="link1"
  url="/resources/stylesheet.css"/>
  </webuijsf:head>
  <webuijsf:body id="body1" style="-rave-layout: grid">
  <webuijsf:form id="form1">
  <webuijsf:textField binding="#{login.username}"
  id="username" style="position: absolute; left: 216px; top:
  96px"/>
  <webuijsf:passwordField binding="#{login.password}" id="password"
  style="left: 216px; top: 144px; position: absolute"/>
  <webuijsf:button actionExpression="#{login.button1_action}"
  id="button1" style="position: absolute; left: 216px; top:
  216px" text="GO"/>
  </webuijsf:form>
  </webuijsf:body>
  </webuijsf:html>
          </webuijsf:page>
      </f:view>
  </jsp:root>h3. *login.java -- implent the
  button1_action() method in the login.java backing bean*
      public String button1_action() {
          setValue("#{requestScope.username}",
  (String)username.getValue());
  setValue("#{requestScope.password}", (String)password.getValue());
          return "loginproxy";
      }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
  {code}
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
  version="2.0">
  <jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
  doctype-system="http://www.w3.org/TR/html4/loose.dtd"
  doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
  <jsp:directive.page contentType="text/html"
  pageEncoding="UTF-8"/>
  <html>
  <head> <meta
  http-equiv="Content-Type" content="text/html;
  charset=UTF-8"/>
  <title>Logging in...</title>
  </head>
  <body
  onload="document.forms[0].submit()">
  <form
  action="j_security_check" method="POST">
  <input type="hidden" name="j_username"
  value="${requestScope.username}" />
  <input type="hidden" name="j_password"
  value="${requestScope.password}" />
  </form>
  </body>
  </html>
  </jsp:root>
  {code}
  h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
  target page, placed in the secure folder to test access*
  {code}
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root version="2.1"
  xmlns:f="http://java.sun.com/jsf/core"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
  <jsp:directive.page
  contentType="text/html;charset=UTF-8"
  pageEncoding="UTF-8"/>
  <f:view>
  <webuijsf:page
  id="page1">
  <webuijsf:html id="html1">
  <webuijsf:head id="head1">
  <webuijsf:link id="link1"
  url="/resources/stylesheet.css"/>
  </webuijsf:head>
  <webuijsf:body id="body1" style="-rave-layout: grid">
  <webuijsf:form id="form1">
  <webuijsf:staticText id="staticText1" style="position:
  absolute; left: 168px; top: 144px" text="A Secure Page"/>
  </webuijsf:form>
  </webuijsf:body>
  </webuijsf:html>
  </webuijsf:page>
  </f:view>
  </jsp:root>
  {code}
  h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
  This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
  *web.xml will be used to define:*
  - Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
  - Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
  - Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
  *sun-web.xml will be used to define:*
  - This is where you map a Role to the Users or Groups that are allowed to use it.
  +I know this is confusing the first time, but basically it works like this:+
  *Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
  h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
  {code}
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>SecurePages</web-resource-name>
  <description/>
  <url-pattern>/faces/secure/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>HEAD</http-method>
  <http-method>PUT</http-method>
  <http-method>OPTIONS</http-method>
  <http-method>TRACE</http-method>
  <http-method>DELETE</http-method>
  </web-resource-collection>
  <auth-constraint>
  <description/>
  <role-name>User</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name/>
  <form-login-config>
  <form-login-page>/faces/login.jsp</form-login-page>
  <form-error-page>/faces/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description/>
  <role-name>User</role-name>
  </security-role>
  {code}
  h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
  {code}
  <security-role-mapping>
  <role-name>User</role-name>
  <group-name>Users</group-name>
  </security-role-mapping>
  {code}
  h3. {color:#ff6600}*Almost done!!!*{color}
  h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
  h3. {color:#ff6600}*_Gotcha #1_*{color}
  You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
  h3. {color:#ff6600}*_Gotcha #2_*{color}
  Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
  *DONE!!!*
  h2. {color:#993300}*_Here's how it works:_*{color}
  1. The user requests the a page from your context (http://localhost/MyLogin/)
  2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
  3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
  4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
  5. The user enters username and password and clicks a button to submit.
  6. The button's action method stores away the username and password in the request scope.
  7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
  8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
  9. The hidden username and password fields grab the username and password variables from the request scope.
  10. The loginproxy page is automatically submitted with the magic action "j_security_check"
  11. j_security_check notifies the container that authentication needs to be intercepted and handled.
  12. The container authenticates the user credentials.
  13. If the credentials fail, the container forwards the request to the login.jsp page.
  14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
  +Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
  +The user is now at the secure welcome page.+
  If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
  Kerry Randolph

  If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
  This method allows you to create a custom login form and error page using JSF.
  The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
  This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
  I'm new to programming, so none of this may be a good practice, or may not be secure at all.
  I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
  Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
  So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
  --Kerry                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• How can I turn off the WLS 6.1 security in order to develop my own application-based security module?

  Dear Colleagues,
  I am currently developing a J2EE application using WLS 6.1.
  My team and I have to implement a security requirement to suit our company's needs.
  The security requirements are that, users' password need to be aged (30 days maximum) and we need to provided a GUI front-end (JSP) to allow users to change their password when these expire after 30 days.
  Our internal contacts in the company, have already taken the lead to find out about whether we will be able to use the WLS 6.1 platform to do this and the answer we got back, was.
  Now we need to develop our own security module.
  I have 2 questions:
  1. How can we turn off the WLS security in order develop our own application-based security module?
  2. How can we develop a security module that allows us to age users' password and provide them with facilities to change their passwords when these expire?
  At the moment, we are using the default BEA WebLogic login.jsp page and there some configuration in the web.xml for this. I will be grateful if you could advise me on how to turn this default security off so that we can write our own security module.

  hi,
  1.You can write your own realm in 61 which can plugged for your security
  calls.
  2. once you write your ownrealm.. you can access it through weblogic
  api/ur api..
  thanks
  kiran
  "Richard Koudry" <[email protected]> wrote in message
  news:3dd0d081$[email protected]..
  Dear Colleagues,
  I am currently developing a J2EE application using WLS 6.1.
  My team and I have to implement a security requirement to suit ourcompany's needs.
  >
  The security requirements are that, users' password need to be aged (30days maximum) and we need to provided a GUI front-end (JSP) to allow users
  to change their password when these expire after 30 days.
  >
  Our internal contacts in the company, have already taken the lead to findout about whether we will be able to use the WLS 6.1 platform to do this and
  the answer we got back, was.
  >
  Now we need to develop our own security module.
  I have 2 questions:
  1. How can we turn off the WLS security in order develop our ownapplication-based security module?
  >
  2. How can we develop a security module that allows us to age users'password and provide them with facilities to change their passwords when
  these expire?
  >
  At the moment, we are using the default BEA WebLogic login.jsp page andthere some configuration in the web.xml for this. I will be grateful if you
  could advise me on how to turn this default security off so that we can
  write our own security module.

• Error in Role Based security using weblogic 9

  Hi All,
  Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Success</web-resource-name>
            <url-pattern>/form.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>admin</role-name>
       </auth-constraint>
       <user-data-constraint>
  <transport-guarantee>INTEGRAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>myrealm</realm-name>
  </login-config>
  <security-role>
       <role-name>admin</role-name>
  </security-role>
  When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
  Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  So can any one provide me the solution for the above problem.
  Thanks in advance.
  By,
  Sandip Pradhan

  Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

• Form based security in WebLogic 7.0 - back button quirk

  I have an application comprised of several JSPs that are protected via Form based
  security and enforce an SSL connection via the appropriate declarations in the
  web.xml. This aspect of the application seems to be working with the exception
  of one small quirk.
  If a user presses that back button until such time as the receive the container
  provided login page once again, and subsequently provide a valid user id and password,
  they are NOT successfully logged in. Rather, they receive the ugly 403 Forbidden
  error that states that the server understood the request, but is refusing to fufill
  it. This only seems to happen given the above course of events involving the
  use of a back button in the browser (or selection of an item from the history
  list). I suspect that this has something to do with the session id being cached
  or something, but I'm not sure? Can anyone offer any assistance on this one?
  Also, does anyone know of a way of preventing the user from bookmarking this container
  provided login page as this also seems to be causing problems for users. If they
  bookmark the first protected page of the application all is fine, but if they
  bookmark the login page they receive the 403 error.
  Thanks in advance!

  The cure for the symtops described below was to simply add a welcome-file-list
  element with appropriate welcome pages to the web.xml descriptor. It makes sense
  now that I have worked it out.
  Todd
  "Todd Gould" <[email protected]> wrote:
  >
  I have an application comprised of several JSPs that are protected via
  Form based
  security and enforce an SSL connection via the appropriate declarations
  in the
  web.xml. This aspect of the application seems to be working with the
  exception
  of one small quirk.
  If a user presses that back button until such time as the receive the
  container
  provided login page once again, and subsequently provide a valid user
  id and password,
  they are NOT successfully logged in. Rather, they receive the ugly 403
  Forbidden
  error that states that the server understood the request, but is refusing
  to fufill
  it. This only seems to happen given the above course of events involving
  the
  use of a back button in the browser (or selection of an item from the
  history
  list). I suspect that this has something to do with the session id being
  cached
  or something, but I'm not sure? Can anyone offer any assistance on this
  one?
  Also, does anyone know of a way of preventing the user from bookmarking
  this container
  provided login page as this also seems to be causing problems for users.
  If they
  bookmark the first protected page of the application all is fine, but
  if they
  bookmark the login page they receive the 403 error.
  Thanks in advance!