Performing form based authentication with entities

Similar Messages

• Retrieving results for comparison in form based authentication with entitie

  Hi,Im developing an application using EJB3.0 and at the moment im working on a module involving user authentication.I work with the sun java system appserver 9.1 and netbeans 5.5.2 using the default toplink as the persistent provider.I have problems performing user based authentication.where am at is at shown below.I used a SLSB facade design pattern and created an entity from an existing database I built solely for the application (table name user_table). This is the code I have currently:
  Entity
  * UserTable.java
  * Created on 31 March 2008, 16:06
  * To change this template, choose Tools | Template Manager
  * and open the template in the editor.
  package Entities;
  import java.io.Serializable;
  import javax.persistence.Column;
  import javax.persistence.Entity;
  import javax.persistence.Id;
  import javax.persistence.Table;
  * Entity class UserTable
  * @author Ayo
  @Entity
  @Table(name = "user_table")
  public class UserTable implements Serializable {
  @Id
  @Column(name = "user_id", nullable = false)
  private Integer userId;
  @Column(name = "username")
  private String username;
  @Column(name = "password")
  private String password;
  @Column(name = "user_type")
  private String userType;
  @Column(name = "access_level")
  private String accessLevel;
  @Column(name = "staff_id")
  private Integer staffId;
  @Column(name = "staff_type", nullable = false)
  private String staffType;
  @Column(name = "time_created")
  private String timeCreated;
  @Column(name = "time_modified")
  private String timeModified;
  @Column(name = "time_logged_in")
  private String timeLoggedIn;
  @Column(name = "time_logged_out")
  private String timeLoggedOut;
  @Column(name = "created_by")
  private String createdBy;
  /** Creates a new instance of UserTable */
  public UserTable() {
  * Creates a new instance of UserTable with the specified values.
  * @param userId the userId of the UserTable
  public UserTable(Integer userId) {
  this.userId = userId;
  * Creates a new instance of UserTable with the specified values.
  * @param userId the userId of the UserTable
  * @param staffType the staffType of the UserTable
  public UserTable(Integer userId, String staffType) {
  this.userId = userId;
  this.staffType = staffType;
  * Gets the userId of this UserTable.
  * @return the userId
  public Integer getUserId() {
  return this.userId;
  * Sets the userId of this UserTable to the specified value.
  * @param userId the new userId
  public void setUserId(Integer userId) {
  this.userId = userId;
  * Gets the username of this UserTable.
  * @return the username
  public String getUsername() {
  return this.username;
  * Sets the username of this UserTable to the specified value.
  * @param username the new username
  public void setUsername(String username) {
  this.username=username;
  * Gets the password of this UserTable.
  * @return the password
  public String getPassword() {
  return this.password;
  * Sets the password of this UserTable to the specified value.
  * @param password the new password
  public void setPassword(String password) {
  this.password=password;
  * Gets the userType of this UserTable.
  * @return the userType
  public String getUserType() {
  return this.userType;
  * Sets the userType of this UserTable to the specified value.
  * @param userType the new userType
  public void setUserType(String userType) {
  this.userType = userType;
  * Gets the accessLevel of this UserTable.
  * @return the accessLevel
  public String getAccessLevel() {
  return this.accessLevel;
  * Sets the accessLevel of this UserTable to the specified value.
  * @param accessLevel the new accessLevel
  public void setAccessLevel(String accessLevel) {
  this.accessLevel = accessLevel;
  * Gets the staffId of this UserTable.
  * @return the staffId
  public Integer getStaffId() {
  return this.staffId;
  * Sets the staffId of this UserTable to the specified value.
  * @param staffId the new staffId
  public void setStaffId(Integer staffId) {
  this.staffId = staffId;
  * Gets the staffType of this UserTable.
  * @return the staffType
  public String getStaffType() {
  return this.staffType;
  * Sets the staffType of this UserTable to the specified value.
  * @param staffType the new staffType
  public void setStaffType(String staffType) {
  this.staffType = staffType;
  * Gets the timeCreated of this UserTable.
  * @return the timeCreated
  public String getTimeCreated() {
  return this.timeCreated;
  * Sets the timeCreated of this UserTable to the specified value.
  * @param timeCreated the new timeCreated
  public void setTimeCreated(String timeCreated) {
  this.timeCreated = timeCreated;
  * Gets the timeModified of this UserTable.
  * @return the timeModified
  public String getTimeModified() {
  return this.timeModified;
  * Sets the timeModified of this UserTable to the specified value.
  * @param timeModified the new timeModified
  public void setTimeModified(String timeModified) {
  this.timeModified = timeModified;
  * Gets the timeLoggedIn of this UserTable.
  * @return the timeLoggedIn
  public String getTimeLoggedIn() {
  return this.timeLoggedIn;
  * Sets the timeLoggedIn of this UserTable to the specified value.
  * @param timeLoggedIn the new timeLoggedIn
  public void setTimeLoggedIn(String timeLoggedIn) {
  this.timeLoggedIn = timeLoggedIn;
  * Gets the timeLoggedOut of this UserTable.
  * @return the timeLoggedOut
  public String getTimeLoggedOut() {
  return this.timeLoggedOut;
  * Sets the timeLoggedOut of this UserTable to the specified value.
  * @param timeLoggedOut the new timeLoggedOut
  public void setTimeLoggedOut(String timeLoggedOut) {
  this.timeLoggedOut = timeLoggedOut;
  * Gets the createdBy of this UserTable.
  * @return the createdBy
  public String getCreatedBy() {
  return this.createdBy;
  * Sets the createdBy of this UserTable to the specified value.
  * @param createdBy the new createdBy
  public void setCreatedBy(String createdBy) {
  this.createdBy = createdBy;
  * Returns a hash code value for the object. This implementation computes
  * a hash code value based on the id fields in this object.
  * @return a hash code value for this object.
  @Override
  public int hashCode() {
  int hash = 0;
  hash += (this.userId != null ? this.userId.hashCode() : 0);
  return hash;
  * Determines whether another object is equal to this UserTable. The result is
  * <code>true</code> if and only if the argument is not null and is a UserTable object that
  * has the same id field values as this object.
  * @param object the reference object with which to compare
  * @return <code>true</code> if this object is the same as the argument;
  * <code>false</code> otherwise.
  @Override
  public boolean equals(Object object) {
  // TODO: Warning - this method won't work in the case the id fields are not set
  if (!(object instanceof UserTable)) {
  return false;
  UserTable other = (UserTable)object;
  if (this.userId != other.userId && (this.userId == null || !this.userId.equals(other.userId))) return false;
  return true;
  * Returns a string representation of the object. This implementation constructs
  * that representation based on the id fields.
  * @return a string representation of the object.
  @Override
  public String toString() {
  return "Entities.UserTable[userId=" + userId + "]";
  SLSB
  * UserTableFacade.java
  * Created on 31 March 2008, 16:07
  * To change this template, choose Tools | Template Manager
  * and open the template in the editor.
  package Entities;
  import java.util.*;
  import javax.ejb.Stateless;
  import javax.persistence.EntityManager;
  import javax.persistence.PersistenceContext;
  * @author Ayo
  @Stateless
  public class UserTableFacade implements UserTableFacadeLocal {
  @PersistenceContext
  private EntityManager em;
  /** Creates a new instance of UserTableFacade */
  public UserTableFacade() {
  public void create(UserTable userTable) {
  em.persist(userTable);
  public void edit(UserTable userTable) {
  em.merge(userTable);
  public void destroy(UserTable userTable) {
  em.merge(userTable);
  em.remove(userTable);
  public List findAll() {
  return em.createQuery("select Object(o)from UserTable as o").getResultList();
  local interface
  * UserTableFacadeLocal.java
  * Created on 31 March 2008, 16:07
  * To change this template, choose Tools | Template Manager
  * and open the template in the editor.
  package Entities;
  import java.util.*;
  import javax.ejb.Local;
  * @author Ayo
  @Local
  public interface UserTableFacadeLocal {
  void create(UserTable userTable);
  void edit(UserTable userTable);
  void destroy(UserTable userTable);
  List findAll();
  controller servlet
  * userCheck.java
  * Created on 15 March 2008, 22:41
  package servlets;
  import Entities.UserTable;
  import Entities.UserTableFacadeLocal;
  import Entities.userValidationBean;
  import Entities.userValidationRemote;
  import java.io.*;
  import java.util.Iterator;
  import java.util.List;
  import java.util.Collection;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import javax.ejb.*;
  * @author Ayo
  * @version
  public class userCheck extends HttpServlet {
  @EJB
  private UserTableFacadeLocal userTableFacade;
  UserTable u;
  String userFellow;
  String pass;
  String username,password;
  /** Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
  * @param request servlet request
  * @param response servlet response
  protected void processRequest(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, IOException {
  /*con=null;
  ps=null;
  rs=null;
  s=null;
  */response.setContentType("text/html;charset=UTF-8");
  PrintWriter out = response.getWriter();
  username=request.getParameter("username");
  password=request.getParameter("password");
  if(username==""||password=="")
  showError("<b><font color=\"red\">Please fill in the required blanks.</font></b>",request,response);
  else
  List user=userTableFacade.findAll();
  for(Iterator it=user.iterator();it.hasNext();)
  u=(UserTable)it.next();
  userFellow= u.getUsername();
  pass=u.getPassword();
  //out.println(" <b>"+elem.getTitle()+" </b><br />");
  //out.println(elem.getBody()+"<br /> ");
  //I used the following two lines to determing if im actually accessing the database and retrieving results, and I get all records in the table(usernames and passwords).
  //BUT I NEED A SPECIFIC RECORD TO MATCH THE USERNAME AND PASSWORD FROM THE FORM AND IF IT DOES NOT MATCH,I REDIRECT TO THE ERROR PAGE.THAT'S WHERE IM STUCK.
  out.println(userFellow);
  out.println(pass);
  /* if(username.equals(userFellow)&&password.equals(pass))
  RequestDispatcher d=request.getRequestDispatcher("blah.jsp");
  d.forward(request,response);
  else
  showError("<b><font color=\"red\">Invalid Login details!</font></b>",request,response);
  private void showError(String errorMsg,HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException
  request.setAttribute("error_msg",errorMsg);
  RequestDispatcher dispatcher=request.getRequestDispatcher("admin_error.jsp");
  dispatcher.forward(request,response);
  // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">
  /** Handles the HTTP <code>GET</code> method.
  * @param request servlet request
  * @param response servlet response
  protected void doGet(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, IOException {
  processRequest(request, response);
  /** Handles the HTTP <code>POST</code> method.
  * @param request servlet request
  * @param response servlet response
  protected void doPost(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, IOException {
  processRequest(request, response);
  /** Returns a short description of the servlet.
  public String getServletInfo() {
  return "Short description";
  // </editor-fold>
  I NEED HELP.ive been on this for 5 days and i cant seem to get a solution. I tried creating a method (private Collection findByUsername()) and(private Collection
  findByPassword()) in the local interface that would supposedly return records based on input from the form but I got a null pointer and an ejb exception saying
  unknown find method or something, as in ,or an error message that said i cant search records by name or something.I dont know. Or is it the query that is not
  specific enough. I didnt seem to get the syntax right when i was trying to search by username and password.Please someone help me.
  Ayo.

  Hey everyone,
  Is the question I posted that hard?
  I even tried to just load a HTML <img src="picture.jpg"/> tag
  on the login.jsp and even this won't show.
  I'm thinking that the container, with the security mechanism, is blocking
  styles and images???
  Anyone...please help.
  -Yuri

• Form Based Authentication in SharePoint 2013: Getting The remote server returned an error: (500) Internal Server Error

  Hi
   I configured forms based authentication mode in Sharepoint 2013 site. When i tried to log in with windows authentication prompt it throws the following error
  The remote server returned an error: (500) Internal Server Error
  [WebException: The remote server returned an error: (500) Internal Server Error.] System.Net.HttpWebRequest.GetResponse() +8548300 System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +111 [ProtocolException:
  The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first
  1024 bytes of the response were: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  How to fix this issue?
  Regards,
  Siva

  Did you create a new web application or modify an existing web application?
  I would start by checking the ULS logs, maybe there is an incorrect setting within one of the web.config files, or SQL permissions.
  Also, as suggested above, check application pools are running.
  This blog post is a great guide for setting up FBA, check it through to make sure you haven't missed any steps:
  http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

• Big problem :anything is accepted by form-based authentication on Jboss

  Hi there
  I'm new to form-based authentication. I've been stuck on this problem for one and a half day. I set up the form-based authentication(with JDBC realm) on JBoss 3.2/Tomcat 5.0. When I visit the protected area, it did ask me for password. But it accepts whatever I input and forwards the desired page, even when I input nothing and just click on submit, it allows me to go through. No error message at all. I am in desperate need for help.
  Here is my configuration. The web.xml is like this
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <display-name>LoginTest</display-name>
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>DELETE</http-method>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>manager</role-name>
  </auth-constraint>
  <user-data-constraint><transport-guarantee>NONE</transport-guarantee></user-data-constraint>
  </security-constraint>
  <!-- Default login configuration uses form-based authentication -->
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description>Manager security role</description>
  <role-name>manager</role-name>
  </security-role>
  </web-app>
  I also add the following JDBC realm definition into the server.xml which is under jboss/server/default/deploy/jbossweb-tomcat50.sar
  <Realm
  className="org.apache.catalina.realm.JDBCRealm" debug="1"
  driverName="org.gjt.mm.mysql.Driver"
  connectionURL="jdbc:mysql://myipdadress:3306/field_bak"
  connectionName="plankton"
  connectionPassword="plankton"
  userTable="users"
  userNameCol="user_name"
  userCredCol="user_pass"
  userRoleTable="user_roles"
  roleNameCol="role_name"
  />
  The JDBC realm is enclosed by the <engine> element. I checked the server log file, when the jboss server is started, it does load the mysql driver correctly and connect to mysql database fine. If I changed the IP of the mysql server to a non-existing one, then when I start jboss server, the server boot process will complain about connection to mysql faiure.
  I guess maybe the server doesn't do the authentication by connecting to mysql and verify it when I submit the log in form. It seems the JDBC realm authentication is bypassed. I notice that even I get rid of the JDBC realm definition from the server.xml file, and test the web application. It behaves exactly the same way. It asks me for password but anything will go through even nothing.
  Can anybody help me about this? I'm really stuck on this.
  Thanks a lot!

  By the way, I did create database"field_bak" and the tables for the JDBC realm verification.
  I also created the users and the roles.
  But it seems like Tomcat container doesn't do the JDBC realm authentication.

• Oracle form based authentication

  can anyone tell me how to do the simple form-based authentication with IIS in OAM10g ??? pls
  Edited by: 859749 on May 19, 2011 4:32 AM

  Please refer to the product documentation.
  http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12488/v2form.htm#BABCDIEE

• Forcing specific clients or groups to use forms based authentication (FBA) instead of windows based authentication (WIA) with ADFS

  Hi,
  We are have a quite specific issue. The problem is most likely by design in ADFS 3.0 (running on Windows Server 2012 R2) and we are trying to find a "work-around".
  Most users in the organization is using their own personal computer and everything is fine and working as expected, single sign-on (WIA) internally to Office 365 and forms based (FBA) externally (using Citrix NetScaler as reverse proxy and load
  balancing with the correct rewrites to add client-ip, proxy header and URL-transformation).
  The problem occurs for a few (50-100) users where they are sharing the same computer, automatically logged on to the computer using a generic AD-user (same for all of them). This AD-user they are logged on with does not have any access to Office365
  and if they try to access SharePoint Online they receive an error that they can't login (from SharePoint Online, not ADFS).
  We can't change this, they need to have this generic account logged on to these computers. The issue occurs when a user that has access to SharePoint Online tries to access it when logged on with a generic account.
  They are not able to "switch" from the generic account in ADFS / SharePoint Online to their personal account.
  The only way I've found that may work is removing IE as a WIA-capable agent and deploy a User-Agent version string specific to most users but not the generic account.
  My question to you: Is there another way? Maybe when ADFS sees the generic user, it forces forms based authentication or something like that?
  Best regards,
  Simon

  I'd go with your original workaround using the user-agent and publishing a GPO for your normal users that elects to use a user-agent string associated with Integrated Windows Auth.. for the generic accounts, I'd look at using a loopback policy that overwrites
  that user agent setting, so that forms logon is preferred for that subset of users. I don't think the Netscaler here is useful in this capacity as it's a front-end proxy and you need to evaluate the AuthZ rules on the AD FS server after the request has been
  proxied. The error pages in Windows Server 2012 R2 are canned as the previous poster mentioned and difficult to customize (Javascript only)...
  http://blog.auth360.net

• Issue with form based Authentication in three tier sharepoint 2013 environment.

  Hi,
  We are facing issue with form based Authentication in three tier environment.
  We are able to add users to the database and in SharePoint.
  But we are not able to login with created users.
  In single tier everything working fine
  Please help , Its urgent ... Thanks in advance.
  Regards,
  Hari
  Regards, Hari

  if the environments match, then it sounds like a kerberos double-hop issue
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• How To Use HttpUnit With FORM-based Authentication?

  I'm just getting started with HttpUnit, and I'm having a problem:
  How does one use HttpUnit with FORM-based authentication?
  I have a Web app where I specify a number of protected URLs. When a user tries to invoke one of them in a browser, Tomcat 4.1.30 brings up a login page that I specified and asks for a username and password. The values given by the user is checked against the tomcat-users.xml file. If the user is valid, Tomcat
  forwards the response from the original request. If invalid, an error page is displayed. The user is considered valid until either the session times out or the browser is closed.
  Does HttpUnit have to log into the app every time I run a test? How does it manage subsequent pages after login?

  I don't think that's true. HttpUnit is 100% Java and based on JUnit. HttpUnit has nothing to do with Apache, AFAIK. HttpUnit is for unit testing servlets and JSPs. Apache is a Web server. It doesn't have a servlet/JSP engine, unless you bolt Tomcat on top of it.
  Perhaps we're talking about two different packages. - %

• Issues with OSSO ,custom login module and form based authentication

  Hi:
  We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
  authentication and Custom login module.
  Application is going in infinite loop when we we try to login using osso ,from the logs
  what I got is looks like tha when we we try to login from OSSO application goes to the login
  page and it gets the remote user from request so it forwards it to the home page till now
  it is correct behaviour ,but after that It looks like home page find that authentication is
  not done and sends it back to the login page and login page again sends it to the home as it
  finds that remote user is not null.
  Our web.xml form authentication entry looks like this :
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
  </form-login-config>
  </login-config>
  While entry in orion-application.xml has the following entry for custom login :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  </jazn>
  Whether If I change the authentication type to BASIC and add the following line
  in orion-application.xml will solve the issue :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  <jazn-web-app auth-method="SSO" >
  </jazn>
  Any help regarding it will be appreciated .
  Thanks
  Anil

  Hi:
  We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
  authentication and Custom login module.
  Application is going in infinite loop when we we try to login using osso ,from the logs
  what I got is looks like tha when we we try to login from OSSO application goes to the login
  page and it gets the remote user from request so it forwards it to the home page till now
  it is correct behaviour ,but after that It looks like home page find that authentication is
  not done and sends it back to the login page and login page again sends it to the home as it
  finds that remote user is not null.
  Our web.xml form authentication entry looks like this :
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/jsp/login.jsp</form-login-page>
  <form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
  </form-login-config>
  </login-config>
  While entry in orion-application.xml has the following entry for custom login :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  </jazn>
  Whether If I change the authentication type to BASIC and add the following line
  in orion-application.xml will solve the issue :
  <jazn provider="XML">
       <property name="custom.loginmodule.provider" value="true" />
  <property name="role.mapping.dynamic" value="true" />
  <jazn-web-app auth-method="SSO" >
  </jazn>
  Any help regarding it will be appreciated .
  Thanks
  Anil

• Ask for help with form based authentication & authorization

  Hi:
  I encountered the following problem when I tried the form based authentication & authorization (see the attached part of the config files, web.xml, weblogic.xml & weblogic.properties)
  1. authorization seems not invoked against the rules specfied, it doesn't go the login error page as long as the user/pwd match, even though the user does not have the necessary role
  in the example below, user3 should be denied to access the signin page, but seems no login error page returned, actually I never see any page / error message which complain about the authorization / access control error
  2. after authenticate correctly, always get redirected to the / (context root) url, instead of the url prior the login page, for e.g., signin page
  Any idea ?
  Thanks in advance.
  HaiMing
  attach config files
  web.xml
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>MySecureBit1</web-resource-name>
  <description>no description</description>
  <url-pattern>/control/signin</url-pattern>
  <http-method>POST</http-method>
  <http-method>GET</http-method>
  </web-resource-collection>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>default</realm-name>
  <form-login-config>
  <form-login-page>/control/formbasedlogin</form-login-page>
  <form-error-page>/control/formbasedloginerror</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description>the customer role</description>
  <role-name>customer</role-name>
  </security-role>
  weblogic.xml
  <security-role-assignment>
  <role-name>
  customer
  </role-name>
  <principal-name>
  customer_group
  </security-role-assignment>
  weblogic.properties
  weblogic.password.user1=user1pass
  weblogic.password.user2=user2pass
  weblogic.password.user3=user3pass
  weblogic.security.group.customer_group=user1,user2

  Hi, Paul:
  Thanks a lot for your reply.
  Firstly let me just correct a little in the attachment I put previously, I think I missed following lines :
  <auth-constraint>
  <description>no description</description>
  <role-name>customer</role-name>
  </auth-constraint>
  So, user1 & user2 are in the customer group, but user3 not, and /control/singin is protected by this security constraint, as a result, when anyone click the link to /control/singin, he was led to the login page, if he tries to login as user1 & user2, he should pass & led to original page (in this case /control/singin, and my code's logic, once /control/signin is used, means that he already login successfully & redirected to the login success page), but if he tries to login as user3, he should only pass the authentication check, but fail the authorization check, and led to login error page.
  What not happen are :
  1. user1 & user2 pass, but redirect to /
  2. user3 also pass, because I see that debug message shows also get redirected to /, instead of login error page
  (login error page will be displayed, only if I try to login as a user with either wrong userid, or wrong password)
  3. one more thing I notice after I first time post the message, the container does not remember the principal, after 1. is done, not even for a while
  And the similar configuration works under Tomcat 3.2.1, for all 3. mentioned above.
  Any idea ?
  HaiMing
  "Paul Patrick" <[email protected]> wrote:
  If I understand what your trying to do, everyone should get access to the
  login page since roles are not
  associated with principals until after they authenticate. If I follow what
  you specified in the XML files,
  authenticated users user1 and user2 are members of a group called
  customer_group.
  The principal customer_group (and therefore its members) is mapped in the
  weblogic.xml file to the role
  customer.
  I can't speak to the reason your being redirected to the document root.
  Paul Patrick
  "HaiMing" <[email protected]> wrote in message
  news:[email protected]...
  Hi:
  I encountered the following problem when I tried the form basedauthentication & authorization (see the attached part of the config files,
  web.xml, weblogic.xml & weblogic.properties)
  1. authorization seems not invoked against the rules specfied, itdoesn't go the login error page as long as the user/pwd match, even though
  the user does not have the necessary role
  in the example below, user3 should be denied to access the signinpage, but seems no login error page returned, actually I never see any page
  / error message which complain about the authorization / access control
  error
  2. after authenticate correctly, always get redirected to the / (contextroot) url, instead of the url prior the login page, for e.g., signin page
  Any idea ?
  Thanks in advance.
  HaiMing
  attach config files
  web.xml
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>MySecureBit1</web-resource-name>
  <description>no description</description>
  <url-pattern>/control/signin</url-pattern>
  <http-method>POST</http-method>
  <http-method>GET</http-method>
  </web-resource-collection>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>default</realm-name>
  <form-login-config>
  <form-login-page>/control/formbasedlogin</form-login-page>
  <form-error-page>/control/formbasedloginerror</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description>the customer role</description>
  <role-name>customer</role-name>
  </security-role>
  weblogic.xml
  <security-role-assignment>
  <role-name>
  customer
  </role-name>
  <principal-name>
  customer_group
  </security-role-assignment>
  weblogic.properties
  weblogic.password.user1=user1pass
  weblogic.password.user2=user2pass
  weblogic.password.user3=user3pass
  weblogic.security.group.customer_group=user1,user2

• Form-based authentication problem with weblogic

  Hi Everyone,
  The following problem related to form-based authentication
  was posted one week ago and no reponse. Can someone give it
  a shot? One more thing is added here. When I try it on J2EE
  server and do the same thing, I didn't encounter this error
  message, and I am redirected to the homeage.
  Thanks.
  -John
  I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
  When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
  "Form based authentication failed. Could not find session."
  When I check the LOG file, it gives me the following message,
  "Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
  Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
  weblogic.httpd.session.enable=true

  Hi...
  Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
  I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
  cheers...
  Jerson
  "John Wang" <[email protected]> wrote:
  >
  Hi Jerson,
  I tried your code this weekend, it didn't work in my case. But
  I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
  But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
  In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
  Thanks.
  -John
  "Jerson Chua" <[email protected]> wrote:
  I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
  Jerson
  package com.cyberj.catalyst.web;
  import weblogic.servlet.security.*;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  public class Authenticate extends HttpServlet {
  private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
  public void doPost(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, java.io.IOException {
  int authenticated = sa.weak(request, response);
  if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
  authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
  response.sendRedirect("fail_login.jsp");
  } else {
  response.sendRedirect("Home.jsp");
  public void doGet(HttpServletRequest request, HttpServletResponse response)
  throws ServletException, java.io.IOException {
  doPost(request, response);
  "Jerson Chua" <[email protected]> wrote:
  The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
  Has anyone solved this problem? I've tried the example itself and the same problem occurs.
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  Jerson,
  First try it redirected (raw) to see if that indeed is the problem ... then
  if it works you can "fix" it the way you want.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "Jerson Chua" <[email protected]> wrote in message
  news:[email protected]...
  Hi...
  Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
  another indirection where I will redirect it to another servlet but the
  password is encrypted.
  What do you think?
  thanks....
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  Maybe redirect to the current URL after killing the session to let the
  request clean itself up. I don't think that a lot of the request (such
  as
  remote user) will be affected by killing the session until the nextrequest
  comes in.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "Jerson Chua" <[email protected]> wrote in message
  news:[email protected]...
  Hello guys...
  I've a solution but it doesn't work yet so I need your help. Because
  one
  of the reason for getting form base authentication failed is if an
  authenticated user tries to login again. For example, the one mentionedby
  John using the back button to go to the login page and when the user logsin
  again, this error occurs.
  So here's my solution
  Instead of submitting the page to j_security_check, submit it to a
  servlet
  which will check if the user is logged in or not. If yes, invalidates its
  session and forward it to j_security_check. But there's a problem in this
  solution, eventhough the session.invalidate() (which actually logs theuser
  out) is executed before forwarded to j_security_check, the user doesn't
  immediately logged out. How did I know this, because after calling
  session.invalidate, i tried calling request.RemoteUser() and it doesn't
  return null. So I'm still getting the error. What I want to ask you guyis
  how do I force logout before the j_security_check is called.
  here's the code I did which the login.jsp actually submits to
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.io.*;
  public class Authenticate extends HttpServlet {
  public void doPost(HttpServletRequest request, HttpServletResponseresponse)
  throws ServletException, java.io.IOException {
  if (request.getRemoteUser() != null) {
  HttpSession session = request.getSession(false);
  System.out.println(session.isNew());
  session.invalidate();
  Cookie[] cookies = request.getCookies();
  for (int i = 0; i < cookies.length; i++) {
  cookies.setMaxAge(0);
  getServletContext().getRequestDispatcher("/j_security_check").forward(reques
  t, response);
  public void doGet(HttpServletRequest request, HttpServletResponseresponse)
  throws ServletException, java.io.IOException {
  doPost(request, response);
  let's help each other to solve this problem. thanks.
  Jerson
  "Jerson Chua" <[email protected]> wrote:
  I thought that this problem will be solved on sp6 but to my
  disappointment, the problem is still there. I'm also using RDBMSRealm,same
  as John.
  Jerson
  "Cameron Purdy" <[email protected]> wrote:
  John,
  1. You are using a single WL instance (i.e. not clustered) on that
  NT
  box
  and doing so without a proxy (e.g. specifying http://localhost:7001),
  correct?
  2. BEA will pay more attention to the problem if you upgrade to SP6.If
  you don't have a reason NOT to (e.g. a particular regression), then
  you
  should upgrade. That will save you one go-around with support: "Hi,I
  am
  on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
  it.
  Call back if that doesn't work."
  3. Make sure that you are not doing anything special before or after
  J_SECURITY_CHECK ... make sure that you have everything configuredand
  done
  by the book.
  4. Email BEA a bug report at [email protected] ... see what they say.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "John Wang" <[email protected]> wrote in message
  news:[email protected]...
  Cameron,
  It seems to me that the problem I encountered is different a little
  from
  what you have, evrn though the error message is the same eventually.
  Everytime I go through, I always get that error.
  I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
  to
  work
  around this problem? If it was a BUG as you
  pointed out, is there a way we can report it to the Weblogic
  technical support and let them take a look?
  Thnaks.
  -John
  "Cameron Purdy" <[email protected]> wrote:
  John,
  I will verify that I have seen this error now (after having read
  about it
  here for a few months) and it had the following characteristics:
  1) It was intermittent, and appeared to be self-curing
  2) It was not predictable, only seemed to occur at the first
  login
  attempt,
  and may have been timing related
  3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
  proxy
  was
  Apache (Stronghold)
  4) After researching the newsgroups, it appears that this "bug"
  may
  have gone away temporarily (?) in SP5 (although Jerson Chua
  <[email protected]> mentioned that he still got it in SP5)
  I was able to reproduce it most often by deleting the tmpwar and
  tmp_deployments directories while the cluster was not running,
  then
  restarting the cluster. The first login attempt would fail(roughly
  90%
  of
  the time?) and that server instance would then be ignored by the
  proxy
  for a
  while (60 seconds?) -- meaning that the proxy would send all
  traffic,
  regardless of the number of "clients", to the other server in thecluster.
  As far as I can tell, it is a bug in WebLogic, and probably has
  been
  there
  for quite a while.
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  +1.617.623.5782
  WebLogic Consulting Available
  "John Wang" <[email protected]> wrote in message
  news:[email protected]...
  Hi Everyone,
  The following problem related to form-based authentication
  was posted one week ago and no reponse. Can someone give it
  a shot? One more thing is added here. When I try it on J2EE
  server and do the same thing, I didn't encounter this error
  message, and I am redirected to the homeage.
  Thanks.
  -John
  I am using weblogic5.1 and RDBMSRealm as the security realm. I
  am
  having
  the following problem with the form-based authentication login
  mechanism.
  Does anyone have an idea what the problem is and how to solve it?
  When I login my application and logout as normal procedure, it
  is
  OK.
  But
  if I login and use the browser's BACK button to back the login
  page
  and
  try
  to login as a new user, I got the following error message,
  "Form based authentication failed. Could not find session."
  When I check the LOG file, it gives me the following message,
  "Form based authentication failed. One of the following reasons
  could
  cause it: HTTP sessions are disabled. An old session ID was stored
  in
  the
  browser."
  Normally, if you login and want to relogin without logout first,
  it
  supposes to direct you to the existing user session. But I don'tunderstand
  why it gave me this error. I also checked my property file, it
  appears
  that
  the HTTP sessions are enabled as follows,
  weblogic.httpd.session.enable=true

• MOBI SSO with trusted authentication and form based authentication

  Dear All,
  I am trying to configure Trusted authentication based SSO FOR MOBI, here are the details:
  - SAP BI 4.1 SP04
  - Trusted authentication with HTTP header configurred for BI Launchpad and working fine.
  Now to have SSO from Mobile, I plan to leverage the existing configuration of BI Launchpad and at Mobile level, I want to use authentication type as TRUSTED_AUTH_FORM, instead of TRUSTED_AUTH_BASIC, with the approach: Trusted authentication with HTTP header.
  And
  Provide our app users their X502 certs.
  1. Will the above approach work ??
  2. As per SAP NOTE: 2038165 - SSO using form based trusted auth gives with the SAP BI app for iOS gives error MOB00920 this does not work and is still under investigation from July last year ? So for any community member, has this been found working ??
  I would appreciate your valuable inputs.
  Regards,
  Sarvjot Singh

  Hi,
  According to your post, my understanding is that you want to know the difference of the SharePoint three type user authentications.
  Windows claims-based authentication uses your existing Windows authentication provider (Active Directory Domain Services [AD DS]) to validate the credentials of connecting clients. Use this authentication to allow AD DS-based accounts access to SharePoint
  resources. Authentication methods include NTLM, Kerberos, and Basic.
  Forms-based authentication can be used against credentials that are stored in an authentication provider that is available through the ASP.NET interface
  SAML token-based authentication in SharePoint 2013 requires coordination with administrators of a claims-based environment, whether it is your own internal environment or a partner environment.
  There is a good article contains all the SharePoint Authentications, including how they work and how to configure.
  http://sp77.blogspot.com/2014/02/authentication-in-sharepoint-2013_5.html#.VFcyQ_mUfkJ
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• Form Based Authentication on Tomcat with custom index.jsp page...

  Hi there ppl,
  I've got Form Based Authentication working correctly on my Tomcat server but I want to override the default generated index.jsp after successfully logging on. I've tried placing my own index.jsp in the directory that's restricted, but its only overridden by the default one when successfully logged on which displays:
  "Authentication Mechanism FORM"
  This means having to navigate by typing the url in the address bar to another page which is gets really annoying afterawhile.
  Any help on this would be much appreciated,
  thanks already

  Yes there's a default generated index.jsp page that I'm having trouble overriding with one of my own. Have you used Form Based Authentication before? To do so you have edit the WEB-INF/web.xml file by adding:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Secure Area</web-resource-name>
  <url-pattern>/test/secure/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>admin</role-name>
  </auth-constraint>      
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/test/secure/loginpage.jsp</form-login-page>
  <form-error-page>/test/secure/errorpage.jsp</form-error-page>
  </form-login-config>
  </login-config>
  When you attempt to first go to any page in my /test/secure/ directory you get redirected to the /test/secure/loginpage.jsp where you have to login as a tomcat user, when succesfully logged on you get redirected to an index.jsp page which is NOT the one I created in test/secure/index.jsp. Even when I type in the url to go to my own test/secure/index.jsp I still don't get my own one that exists there, but instead get the default one that's generated that displays:
  "Authentication Mechanism FORM".
  Hope that makes more sense.
  I've tried restarting tomcat but it makes no difference.

• How to redirect to j_security_check without the form based authentication

  Hi,
  I am trying to integrate my application authentication to a backend system with the ibm websphere form based authentication. Below is the scenario:
  1. when the user clicks on a protected url, the container will redirect the user to the login page.
  2. instead of displaying the login page, i would like to automatically redirect the user to j_security_check action. which means that instead of displaying the login.jsp page, the user will automatically be redirected to j_security_check to perform some user authentication, and if successful, the application pages will be displayed.
  The reason i want to auto redirect the user to j_security_check is because i am implementing some integration work with a backend system. the user will key in the username/password from another system. once the user is authenticated, the user information will be passed to my system. The login page of my system will not be displayed again, and by using the username value, my system will assume that the user has successfully been authenticated (authentication done by the backend system), and therefore automatically gain authorization to login into my application.
  i hope that clarifies my problem.
  anyone out there has any solution to my problem?
  thanks a lot in advance.

  Hi Darren,
  Let me explain the whole authentication environment.
  There are actually 2 systems in this environment. Let;s call it system A and system B.
  System B is actually using the authentication mechanism that i described in my previous message.
  A login page will be presented to the user (within system A). User credential is collected and passed to system A to be authenticated. System A will use its own mechanism to authenticate the user.
  Once the user is authenticated, system A will pass the user ID to system B. At this point, system B will assume that the user is authenticated and grant authorization to access the application. (system B global security is enabled and implements the form based authentication mechanism) Therefore, at this point, the redirect page (so called login page) will not be displayed to the user, instead it will be automatically redirected to the j_security_check action to execute the customer Ldap Registry class. (ps : eventhough authentication is no longer needed, the flow will still go to Ldap Registry class. A check is done in the Ldap Registry class to skip the authentication, if it is not boot strap login. Only first and only time authentication is done for boot strap login).
  In the case a protected url is clicked or invoked by the user directly, the application will redirect the user to the initial login of system A. Otherwise (the url link originates from system A, during the passing of user token to system B), system B will redirect to j_security_check and execute the customer Ldap Registry class.
  Based on the above explained scenario, in your opinion, is there any security loopholes? consider that system B no longer perform authentication but only to grant authorization to the user.
  Appreciate your advice. Thanks in advance
  Anyway, i am using the ibm websphere server. :)

• Form-based authentication and JSF

  I am trying to use a form-based authentication in Tomcat 6, and from what I understand the page that contains the login form can not be a JSF page.
  The problem I'm having with this is that I need the client's username and password accessible from my backing bean, but I don't know how to put them there from a standard JSP.
  Before all this, I had a simple login form with username/password fields that were bound to a bean, and a button that executed a bean method that would perform the login procedure, retrieve the client's data from the DB and create a Client object in the session to be accessible throughout the application. Now, I need to use container managed access control with form-based authentication, and I know how to set it up but don't know how to create the Client object if the container does all the authentication and I never even get a hold of a username/password combination let alone the rest of the client's data.
  Any advice on this would be greatly appreciated.

  alf.redo wrote:
  ...following article: [j2ee_security_a_jsf_based_login_form|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form]
  This is exactly the solution I am planning to use. It is good to know there are others who have decided to go that way.
  Thanks