Logout Functionality in Form Based Authentication Not Working Properly

Similar Messages

• Form Based Authentication not working for my sharepoint site.

  I am using FIM 2010 r2 on Sharepoint -80 . I tried to use forms based authentication instead of default windows based auth. But the site is not even redirecting to the custom login page i am trying to connect .
  Any suggestions ?

  Issue has been resolved.  There was no interesting work-a-round or fix involved.

• J_security_check in form-based authentication - not checking for blank passwords

  I am using the LDAP Security Realm to authenticate against an iPlanet
  Directory Server. All works as expected when a user-id and password
  are entered for form-based authentication.
  However, when a userid is entered but no password, j_security_check
  logs the user in successfully. Aparently, this is correct LDAP
  behaviour as anonymous login to the LDAP server is permitted. It seems
  that the j_security_check servlet should check for blank passwords
  before trying to authenticate against the LDAP server and fail
  authentication if this is the case.
  Has anyone else experienced this problem?

  Hi Brian,
  I do not believe it is j_security_check's job to check for blank
  passwords.
  In many security realms, it is "legal" for a user to have a blank
  password. j_security_check forwards whatever password was entered so that
  even users with blank passwords can be authenticated by the realm on the
  backend. For this reason I believe that j_security_check is "doing the
  right thing" by just forwarding whatever is presented to it, rather than
  having its own logic. It is best if j_security_check just acts as a very
  dumb middle man.
  If behavior was altered, it is true that your particular problem would be
  solved, but then many other people would have a problem with their users
  with blank passwords authenticating properly...
  Try looking into how to disable anonymous logins on the LDAP end of
  things. Hope this helps.
  Cheers,
  Joe Jerry
  brian wrote:
  I am using the LDAP Security Realm to authenticate against an iPlanet
  Directory Server. All works as expected when a user-id and password
  are entered for form-based authentication.
  However, when a userid is entered but no password, j_security_check
  logs the user in successfully. Aparently, this is correct LDAP
  behaviour as anonymous login to the LDAP server is permitted. It seems
  that the j_security_check servlet should check for blank passwords
  before trying to authenticate against the LDAP server and fail
  authentication if this is the case.
  Has anyone else experienced this problem?

• Is it still the case that the Muse CC Forms widget will not work properly unless you have Business Catalyst?

  I am looking into options for our next office website redesign.  We will definitely need a forms function.  I downloaded the Muse CC free trial and went through all of the tutorials.  The video on the forms (Contact Form) stated that the forms widget would not work or would not work properly if you do not have Business Catalyst.  I'm hoping that has changed since the video was created.
  Is this still true that you need to purchase the Business Catalyst product for Muse CC form widgets to work correcty??? 

  Piruki have you tried utilizing the Previous version option within the Creative Cloud Desktop application?  You can find additional details under the install Previous version section of CC desktop lists applications as "Up to Date" when not installed - http://helpx.adobe.com/creative-cloud/kb/aam-lists-removed-apps-date.html.

• Filter Function in Column Formula is not working properly

  Hi,
  I am using Filter Function in Column formula tab in Answers to calculate the Total sum from the start of the Fiscal month to the Month selected from the Prompt.
  My requirement is I have total sales column. Now I need to calculate TYYTD kind of thing for which I cant use the Time sereis due to my report constraint.
  Instead of that I am using this Filter function on TYYTD column where i am giving the filter as start of the Fiscal month to the month selected from the Prompt.
  For example if I select May month from the Prompt then this TYYTD column should give me SUM(Total Sales) between Feb and May for which I am using the Filter Function. But it giving me only May sales whcih is same as Total Sales column.
  Can anyone throw some light on this as this is very important for us or any alternate solution other than Time sereis measures.
  Did anyone got this kind of issue with Filter Function?
  Regards,
  Azad

  Ok...here's the steps to fix this as efficiently as possible.  I have a whole bunch of mailboxes under "On My Mac" and they have a bunch of mailboxes nested in them.  I get my messages into Apple Mail via IMAP.  (I don't know if this matters.)  The steps below assume you have a similar setup.
  1.  Hold the Option key down and click the dropdown arrow next to each mailbox that has one.  This will cause all nested mailboxes below it to appear.
  2.  Go to the top of the list of mailboxes under "On My Mac" and highlight the first mailbox.  Then hold the Shift key down and highlight the last mailbox in the list.  This will cause all of the mailboxes and nested mailboxes to be highlighted.
  3.  From the menu, select "Mailbox --> Rebuild" and the rebuild process will start.
  4.  Watch the top of the mail screen to see the message count change as the mailboxes are being rebuilt.  Wait until the activity stops before doing the next step.
  5.  As the mailboxes were rebuilt, many messages were reset as "Unread" even though every message was previously "Read."  Make sure the mailboxes you want to affect are still highlighted.  Right-click and select "Mark All Messages Read."
  That fixed the problem for me.

• I updated to Lion and now the Search function in Apple Mail is not working properly

  Even though the "All" option is selected, when I type a string in the Mail spotlight search box, the string is not found.  But I know for a fact the string is in an email and I've manually found the email (in a folder) and copied and pasted it into the search box.  Mail is still not able to find it.
  I have also checked to make sure that "Message contains" is the option in the search box.  I've noticed that in some previous searches there has been a little arrow dropdown option next to the magnifying glass icon.  But that arrow is not showing up consistently...and is not showing up now.
  What am I doing wrong?

  Ok...here's the steps to fix this as efficiently as possible.  I have a whole bunch of mailboxes under "On My Mac" and they have a bunch of mailboxes nested in them.  I get my messages into Apple Mail via IMAP.  (I don't know if this matters.)  The steps below assume you have a similar setup.
  1.  Hold the Option key down and click the dropdown arrow next to each mailbox that has one.  This will cause all nested mailboxes below it to appear.
  2.  Go to the top of the list of mailboxes under "On My Mac" and highlight the first mailbox.  Then hold the Shift key down and highlight the last mailbox in the list.  This will cause all of the mailboxes and nested mailboxes to be highlighted.
  3.  From the menu, select "Mailbox --> Rebuild" and the rebuild process will start.
  4.  Watch the top of the mail screen to see the message count change as the mailboxes are being rebuilt.  Wait until the activity stops before doing the next step.
  5.  As the mailboxes were rebuilt, many messages were reset as "Unread" even though every message was previously "Read."  Make sure the mailboxes you want to affect are still highlighted.  Right-click and select "Mark All Messages Read."
  That fixed the problem for me.

• J2EE and user authentication not working

  Hi,
  has anyone gotten the basic/form based authentication to
  work in the latest version of the 9iAS?
  Oracle9iAS (9.0.2.0.0)
  I've read all the posts and articles from orionsupport.com
  BUT it still does not work.
  Support Folks from ORacle: Where is the latest documentation
  for the Server ???? Everything seems outdated??
  cheers,
  Vijay

  Hi,
  You can change User and password through SU01 through UME. and also read SNote:  Note 891614 - Login problems / Expired password
  Regards
  Thomas

• Form based authentication very slow

  Hi,
  We are facing problem in form based login authentication. Any application having a form based authentication is taking too much time.
  We are running SAP J2EE Server 6.40 with SP16.
  The database and the J2EE server are in a single machine.
  The basic authentication does not show up any problem.
  The form based takes up too much amount of time but does go through.
  What can be the problem?
  Regards,
  Ameya

  Hi Ameya,
  if form based authentication is working fine for you then please send me complete step by step procedure or any document if you have any as i configured everything required for form based authentication and when i provide any of the .jsp page in the url i am not getting the login page. please help me as soon as possible

• SocketException when logging in (form-based Authentication

  Hi,
  i'm getting a strange error when logging into a web-application, which uses form-based
  authetication:
  <08.04.2003 19:27:31 CEST> <Error> <HTTP> <Connection failure
  java.net.SocketException: ReadFile failed: Der angegebene Netzwerkname ist nicht
  mehr verf&#179;gbar.
  (error 64, fd 2532)
  at weblogic.socket.NTSocketMuxer.initiateIO(Native Method)
  at weblogic.socket.NTSocketMuxer.read(NTSocketMuxer.java:407)
  at weblogic.servlet.internal.MuxableSocketHTTP.requeue(MuxableSocketHTTP.java:231)
  at weblogic.servlet.internal.ServletResponseImpl.send(ServletResponseImpl.java:977)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:1964)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  We're running wls 6.1&oracle9i on win xp with a variation of the RDBMSRealms -
  database and realm setup seems to be ok, as there is another web-app running on
  the same server, also with form-based authentication, which works fine and validates
  the user correctly.
  I've seen lots of posts concerning this SocketException - alas I never found a
  hint on what causes the problem. Anyone having any ideas!? Any help highly appreciated,
  as i'm quite desparate right now %(
  greetings
  stf

  Hi John,
  Yep, it's WebLogic-specific.
  Check out
  http://e-docs.bea.com/wls/docs61///javadocs/weblogic/servlet/security/ServletAuthentication.html
  for more information
  Cheers,
  Joe Jerry
  John Chen wrote:
  Hi, Joe,
  Is that weblogic specific API ? Could you tell a bit more detail on how to use
  that ?
  Thanks
  John
  Jerry <[email protected]> wrote:
  ServletAuthentication.weak() should do what you want
  Cheers,
  Joe Jerry
  John Chen wrote:
  Hi, friends,
  Does anybody know how to get authenticated programmtically when accesssome servlet
  in FORM-based authentication ?
  I have some Java programs running on a server other than weblogic application
  server. And I want to use HTTP request programmtically to talk to aservlet on
  WebLogic 6.0. For basic authentication, i can add authorization infointo the
  request, how can I do that for form-based authentication ?
  Thanks
  John

• Faces context not found (Form based authentication)

  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <url-pattern>/jsp/WorkingZone.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>manager</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Example Form-Based Authentication Area</realm-name>
  <form-login-config>
  <form-login-page>/Login/login.jsp</form-login-page>
  <form-error-page>/Login/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  when i tried to login with valid user the the url shows
  http://localhost:8080/FormAuth/jsp/WorkingZone.jsp
  how to append faces context automatically.
  I am not finding for this faces context.
  Plz suggest me a solution soon.
  Thanks
  Raghavendra Pattar

  The FacesContext is created by FacesServlet which is
  definied in the web.xml with an url-pattern.
  If you just follow the url-pattern of this
  FacesServlet, usually /faces/ or *.faces, or *.jsf,
  then the FacesContext will be created.Hi balu,
  this is the web.xml that i am using
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
  <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>server</param-value>
    </context-param>
  <context-param>
      <param-name>javax.faces.CONFIG_FILES</param-name>
      <param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
    </context-param>
  <context-param>
      <param-name>com.sun.faces.validateXml</param-name>
      <param-value>true</param-value>
    </context-param>
  <context-param>
      <param-name>com.sun.faces.verifyObjects</param-name>
      <param-value>false</param-value>
    </context-param>
  <filter>
      <filter-name>UploadFilter</filter-name>
      <filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
      <init-param>
        <description>
            The maximum allowed upload size in bytes.  If this is set
            to a negative value, there is no maximum.  The default
            value is 1000000.
          </description>
        <param-name>maxSize</param-name>
        <param-value>1000000</param-value>
      </init-param>
      <init-param>
        <description>
            The size (in bytes) of an uploaded file which, if it is
            exceeded, will cause the file to be written directly to
            disk instead of stored in memory.  Files smaller than or
            equal to this size will be stored in memory.  The default
            value is 4096.
          </description>
        <param-name>sizeThreshold</param-name>
        <param-value>4096</param-value>
      </init-param>
    </filter>
  <filter-mapping>
      <filter-name>UploadFilter</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
    </filter-mapping>
  <servlet>
      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
  <servlet>
      <servlet-name>ThemeServlet</servlet-name>
      <servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
    </servlet>
  <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
  <servlet-mapping>
      <servlet-name>ThemeServlet</servlet-name>
      <url-pattern>/theme/*</url-pattern>
    </servlet-mapping>
  <welcome-file-list>
      <welcome-file></welcome-file>
       </welcome-file-list>
  <jsp-config>
      <jsp-property-group>
        <url-pattern>*.jspf</url-pattern>
        <is-xml>true</is-xml>
      </jsp-property-group>
    </jsp-config>
  <security-constraint>
      <display-name>Example Security Constraint</display-name>
      <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
          <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>manager</role-name>
      </auth-constraint>
    </security-constraint>
    <!-- Default a login configuration that uses form-based authentication -->
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/Login/login.jsp</form-login-page>
        <form-error-page>/Login/error.jsp</form-error-page>
      </form-login-config>
    </login-config>
    <!-- Define a logical role for this application, needs to be mapped to an actual role at deployment time -->
    <security-role>
      <role-name>manager</role-name>
    </security-role>
  </web-app>1)My requirement is Login page should be the first page
  If enter the valid user and password
  then i will get directory structure
  when i click the secured JSF page inside secure
  i got this URL
  http://localhost/secure/WorkingZone.jsp
  obiviously /faces is missing
  and i am getting faces context not found.
  If u need further clarification i will send u..
  Plz reply me...

• ADFS 3.0 Windows Authentication not working

  I recently upgraded from ADFS 2.1 and TMG 2010 as the reverse proxy to ADFS 3.0 and Web Application Proxy as the reverse proxy.  I have upgraded to ADFS 3.0 successfully and it is working without anything changing to the end users.  This is still
  using TMG 2010 as the reverse proxy. 
  When I make the changes to use WAP as the reverse proxy, I get prompted with a forms based authentication page instead of the usual windows authentication screen.  This poses a problem since this creates an extra step for people when logging on to our
  sites that use SSO since there's no "save password" box.  I can move the traffic back to TMG and it's back to working like it should but we are looking to remove TMG very soon.
  When I am on the "inside" network connecting to ADFS without the reverse proxy, it works just fine.  However, ALL of our users are "outside" of the network will be using the reverse proxy.  None of the computers are domain joined.
  The issue seems to only be when using Web Application Proxy server to service ADFS SSO requests.....TMG servicing these requests does not have this issue.
  What's the difference?  How can I get this functionality back with WAP?

  Hi Eric,
  Based on my research, when publishing applications that use Integrated Windows authentication, the Web Application Proxy server uses Kerberos constrained delegation to authenticate users
  to the published application.
  To use Integrated Windows authentication, the Web Application Proxy server must be joined to an AD DS domain.
  More information for you:
  Web Application Proxy: Some applications are configured to perform backend authentication using Integrated Windows authentication but the server is not joined to a domain
  http://technet.microsoft.com/en-us/library/dn464299.aspx
  Best Regards,
  Amy

• Form-based authentication problem with weblogic

  Hi Everyone,
  The following problem related to form-based authentication
  was posted one week ago and no reponse. Can someone give it
  a shot? One more thing is added here. When I try it on J2EE
  server and do the same thing, I didn't encounter this error
  message, and I am redirected to the homeage.
  Thanks.
  -John
  I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
  When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
  "Form based authentication failed. Could not find session."
  When I check the LOG file, it gives me the following message,
  "Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
  Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
  weblogic.httpd.session.enable=true

  Hi...
  Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
  I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
  cheers...
  Jerson
  "John Wang" <[email protected]> wrote:
  >
  Hi Jerson,
  I tried your code this weekend, it didn't work in my case. But
  I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
  But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
  In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
  Thanks.
  -John
  "Jerson Chua" <[email protected]> wrote:
  I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
  Jerson
  package com.cyberj.catalyst.web;
  import weblogic.servlet.security.*;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  public class Authenticate extends HttpServlet {
  private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
  public void doPost(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, java.io.IOException {
  int authenticated = sa.weak(request, response);
  if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
  authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
  response.sendRedirect("fail_login.jsp");
  } else {
  response.sendRedirect("Home.jsp");
  public void doGet(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, java.io.IOException {
  doPost(request, response);
  "Jerson Chua" <[email protected]> wrote:
  The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
  Has anyone solved this problem? I've tried the example itself and the same problem occurs.
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  Jerson,
  First try it redirected (raw) to see if that indeed is the problem ... then
  if it works you can "fix" it the way you want.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "Jerson Chua" <[email protected]> wrote in message
  news:[email protected]...
  Hi...
  Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
  another indirection where I will redirect it to another servlet but the
  password is encrypted.
  What do you think?
  thanks....
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  Maybe redirect to the current URL after killing the session to let the
  request clean itself up. I don't think that a lot of the request (such
  as
  remote user) will be affected by killing the session until the nextrequest
  comes in.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "Jerson Chua" <[email protected]> wrote in message
  news:[email protected]...
  Hello guys...
  I've a solution but it doesn't work yet so I need your help. Because
  one
  of the reason for getting form base authentication failed is if an
  authenticated user tries to login again. For example, the one mentionedby
  John using the back button to go to the login page and when the user logsin
  again, this error occurs.
  So here's my solution
  Instead of submitting the page to j_security_check, submit it to a
  servlet
  which will check if the user is logged in or not. If yes, invalidates its
  session and forward it to j_security_check. But there's a problem in this
  solution, eventhough the session.invalidate() (which actually logs theuser
  out) is executed before forwarded to j_security_check, the user doesn't
  immediately logged out. How did I know this, because after calling
  session.invalidate, i tried calling request.RemoteUser() and it doesn't
  return null. So I'm still getting the error. What I want to ask you guyis
  how do I force logout before the j_security_check is called.
  here's the code I did which the login.jsp actually submits to
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  public class Authenticate extends HttpServlet {
  public void doPost(HttpServletRequest request, HttpServletResponseresponse)
  throws ServletException, java.io.IOException {
  if (request.getRemoteUser() != null) {
  HttpSession session = request.getSession(false);
  System.out.println(session.isNew());
  session.invalidate();
  Cookie[] cookies = request.getCookies();
  for (int i = 0; i < cookies.length; i++) {
  cookies.setMaxAge(0);
  getServletContext().getRequestDispatcher("/j_security_check").forward(reques
  t, response);
  public void doGet(HttpServletRequest request, HttpServletResponseresponse)
  throws ServletException, java.io.IOException {
  doPost(request, response);
  let's help each other to solve this problem. thanks.
  Jerson
  "Jerson Chua" <[email protected]> wrote:
  I thought that this problem will be solved on sp6 but to my
  disappointment, the problem is still there. I'm also using RDBMSRealm,same
  as John.
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  John,
  1. You are using a single WL instance (i.e. not clustered) on that
  NT
  box
  and doing so without a proxy (e.g. specifying http://localhost:7001),
  correct?
  2. BEA will pay more attention to the problem if you upgrade to SP6.If
  you don't have a reason NOT to (e.g. a particular regression), then
  you
  should upgrade. That will save you one go-around with support: "Hi,I
  am
  on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
  it.
  Call back if that doesn't work."
  3. Make sure that you are not doing anything special before or after
  J_SECURITY_CHECK ... make sure that you have everything configuredand
  done
  by the book.
  4. Email BEA a bug report at [email protected] ... see what they say.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "John Wang" <[email protected]> wrote in message
  news:[email protected]...
  Cameron,
  It seems to me that the problem I encountered is different a little
  from
  what you have, evrn though the error message is the same eventually.
  Everytime I go through, I always get that error.
  I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
  to
  work
  around this problem? If it was a BUG as you
  pointed out, is there a way we can report it to the Weblogic
  technical support and let them take a look?
  Thnaks.
  -John
  "Cameron Purdy" <[email protected]> wrote:
  John,
  I will verify that I have seen this error now (after having read
  about it
  here for a few months) and it had the following characteristics:
  1) It was intermittent, and appeared to be self-curing
  2) It was not predictable, only seemed to occur at the first
  login
  attempt,
  and may have been timing related
  3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
  proxy
  was
  Apache (Stronghold)
  4) After researching the newsgroups, it appears that this "bug"
  may
  have gone away temporarily (?) in SP5 (although Jerson Chua
  <[email protected]> mentioned that he still got it in SP5)
  I was able to reproduce it most often by deleting the tmpwar and
  tmp_deployments directories while the cluster was not running,
  then
  restarting the cluster. The first login attempt would fail(roughly
  90%
  of
  the time?) and that server instance would then be ignored by the
  proxy
  for a
  while (60 seconds?) -- meaning that the proxy would send all
  traffic,
  regardless of the number of "clients", to the other server in thecluster.
  As far as I can tell, it is a bug in WebLogic, and probably has
  been
  there
  for quite a while.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "John Wang" <[email protected]> wrote in message
  news:[email protected]...
  Hi Everyone,
  The following problem related to form-based authentication
  was posted one week ago and no reponse. Can someone give it
  a shot? One more thing is added here. When I try it on J2EE
  server and do the same thing, I didn't encounter this error
  message, and I am redirected to the homeage.
  Thanks.
  -John
  I am using weblogic5.1 and RDBMSRealm as the security realm. I
  am
  having
  the following problem with the form-based authentication login
  mechanism.
  Does anyone have an idea what the problem is and how to solve it?
  When I login my application and logout as normal procedure, it
  is
  OK.
  But
  if I login and use the browser's BACK button to back the login
  page
  and
  try
  to login as a new user, I got the following error message,
  "Form based authentication failed. Could not find session."
  When I check the LOG file, it gives me the following message,
  "Form based authentication failed. One of the following reasons
  could
  cause it: HTTP sessions are disabled. An old session ID was stored
  in
  the
  browser."
  Normally, if you login and want to relogin without logout first,
  it
  supposes to direct you to the existing user session. But I don'tunderstand
  why it gave me this error. I also checked my property file, it
  appears
  that
  the HTTP sessions are enabled as follows,
  weblogic.httpd.session.enable=true

• Forcing specific clients or groups to use forms based authentication (FBA) instead of windows based authentication (WIA) with ADFS

  Hi,
  We are have a quite specific issue. The problem is most likely by design in ADFS 3.0 (running on Windows Server 2012 R2) and we are trying to find a "work-around".
  Most users in the organization is using their own personal computer and everything is fine and working as expected, single sign-on (WIA) internally to Office 365 and forms based (FBA) externally (using Citrix NetScaler as reverse proxy and load
  balancing with the correct rewrites to add client-ip, proxy header and URL-transformation).
  The problem occurs for a few (50-100) users where they are sharing the same computer, automatically logged on to the computer using a generic AD-user (same for all of them). This AD-user they are logged on with does not have any access to Office365
  and if they try to access SharePoint Online they receive an error that they can't login (from SharePoint Online, not ADFS).
  We can't change this, they need to have this generic account logged on to these computers. The issue occurs when a user that has access to SharePoint Online tries to access it when logged on with a generic account.
  They are not able to "switch" from the generic account in ADFS / SharePoint Online to their personal account.
  The only way I've found that may work is removing IE as a WIA-capable agent and deploy a User-Agent version string specific to most users but not the generic account.
  My question to you: Is there another way? Maybe when ADFS sees the generic user, it forces forms based authentication or something like that?
  Best regards,
  Simon

  I'd go with your original workaround using the user-agent and publishing a GPO for your normal users that elects to use a user-agent string associated with Integrated Windows Auth.. for the generic accounts, I'd look at using a loopback policy that overwrites
  that user agent setting, so that forms logon is preferred for that subset of users. I don't think the Netscaler here is useful in this capacity as it's a front-end proxy and you need to evaluate the AuthZ rules on the AD FS server after the request has been
  proxied. The error pages in Windows Server 2012 R2 are canned as the previous poster mentioned and difficult to customize (Javascript only)...
  http://blog.auth360.net

• Issue with form based Authentication in three tier sharepoint 2013 environment.

  Hi,
  We are facing issue with form based Authentication in three tier environment.
  We are able to add users to the database and in SharePoint.
  But we are not able to login with created users.
  In single tier everything working fine
  Please help , Its urgent ... Thanks in advance.
  Regards,
  Hari
  Regards, Hari

  if the environments match, then it sounds like a kerberos double-hop issue
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• How to redirect to j_security_check without the form based authentication

  Hi,
  I am trying to integrate my application authentication to a backend system with the ibm websphere form based authentication. Below is the scenario:
  1. when the user clicks on a protected url, the container will redirect the user to the login page.
  2. instead of displaying the login page, i would like to automatically redirect the user to j_security_check action. which means that instead of displaying the login.jsp page, the user will automatically be redirected to j_security_check to perform some user authentication, and if successful, the application pages will be displayed.
  The reason i want to auto redirect the user to j_security_check is because i am implementing some integration work with a backend system. the user will key in the username/password from another system. once the user is authenticated, the user information will be passed to my system. The login page of my system will not be displayed again, and by using the username value, my system will assume that the user has successfully been authenticated (authentication done by the backend system), and therefore automatically gain authorization to login into my application.
  i hope that clarifies my problem.
  anyone out there has any solution to my problem?
  thanks a lot in advance.

  Hi Darren,
  Let me explain the whole authentication environment.
  There are actually 2 systems in this environment. Let;s call it system A and system B.
  System B is actually using the authentication mechanism that i described in my previous message.
  A login page will be presented to the user (within system A). User credential is collected and passed to system A to be authenticated. System A will use its own mechanism to authenticate the user.
  Once the user is authenticated, system A will pass the user ID to system B. At this point, system B will assume that the user is authenticated and grant authorization to access the application. (system B global security is enabled and implements the form based authentication mechanism) Therefore, at this point, the redirect page (so called login page) will not be displayed to the user, instead it will be automatically redirected to the j_security_check action to execute the customer Ldap Registry class. (ps : eventhough authentication is no longer needed, the flow will still go to Ldap Registry class. A check is done in the Ldap Registry class to skip the authentication, if it is not boot strap login. Only first and only time authentication is done for boot strap login).
  In the case a protected url is clicked or invoked by the user directly, the application will redirect the user to the initial login of system A. Otherwise (the url link originates from system A, during the passing of user token to system B), system B will redirect to j_security_check and execute the customer Ldap Registry class.
  Based on the above explained scenario, in your opinion, is there any security loopholes? consider that system B no longer perform authentication but only to grant authorization to the user.
  Appreciate your advice. Thanks in advance
  Anyway, i am using the ibm websphere server. :)