Resource for Forms/Database Security

My company is taking the Oracle plunge in the next 2 weeks and I really need to find some good books, or resources to get off on the right foot.
The first thing I would like to deal with is security. I need to figure out how to allow some users to update a field while denying other users. I need to know what kind of information I will need to know.
Right now the scope of the project is to create an applictaion in Forms and Reports to run the business. Then we will also be working with HTMLDB, Designer, Portals, and other Oracle tools. So the problem is that I can create a table in the database to hold security settings, but I want the settings for Roles and Access rights to persist through all objects.
Can ALL of the security be done on the database itself???? or will we need to do coding on the Forms and Reports also??
Basically I need someone to point me to the right resource to start implementing security on the database and Forms, since that is the first step (in my opinion) in developing a good application.

All security can be done in the database. However, you probably want to have the security rules in your Forms as well. If your Forms are totally open for any action (insert, update, delete), the user will only get an error message when hitting the Save button. Only then are the database securities checked.
Usually the Form also checks if a user is allowed, e.g., to update a record. If not, in the Form you will set the record to non-updateable. That way the user immediately gets an error message, even before trying to save the changes.
Another approach is to have only ONE database user with all privileges for the application. Application users and authorization rules are stored in application tables. When you start the application, you automatically log in with a database username and password that are hidden or encoded in some way. Then the user logs in with the username and password that are stored in the application. This approach is very common in web environments.
I need to figure out how to allow some users to update a field while denying other usersI would never go as far as applying security on field level. That may become an administrative nightmare.

Similar Messages

Limiting Resources for a database

Hello,
We have a several Oracle 9i databases in production. Some of them generate more revenue than others, and therefore are more important than the databases that do not generate much revenue.
Is it possible to limit the resourse usage for the less important databases? For example, is it possible to set the databases that do not generate much revenue to use less CPU on the server? If yes, could you kindly point me in the right direction?
Kind Regards,
Rudi

First queston, are all the databases on same server or on different servers? Is on the same servers, then, try to minimize the SGA of those databases and also create a profile to handle all the resource like cpu time and other stuff.

Web form and database security risk

I'd like to develop an Oracle Form or APEX Form where people don't have to login to use it. Like a registration form on our website, where anyone can fill it out. Ideally, the information entered into the form would be saved to an Oracle table (could use a flat file if database security is an issue). I'm a developer and don't know a lot about the security side.
I'm thinking we would need a static IP address and an Oracle public password that doesn't expire, since the public doesn't have to login to use the form.
Is this possible and is it a database or network security risk ?

An APEX page can certainly be configured to not require authentication (that's pretty standard for the login/ registration page). There is no need for an "Oracle public password." There are accounts in the Oracle database that APEX uses but that no human needs to know the password for. If that's what you mean by "Oracle public password" then, yes, you do. But that would be the case no matter what authentication and authorization scheme you use in APEX.
A static IP address for your web server is likely a good idea. It's possible to have DNS work with dynamic IP addresses but that's probably not what you want.
Justin

Is there a utility to import security for Forms?

I have used the importsecurity.exe utility to successfully import entity, account, and other dimension security. But it doesn't work for Form security. Is there another way or a way to trick the utility and use it for forms?
Version 9.2.1 Windows environment. SQL server is the database
Thanks
Wags

Thanks John.
I have over 200 forms for one application with over 700 lines of security.
As a test, I manually added a few rows of security directly into the HSP_access_control table and restarted the planning service and that worked. So it looks like I could load all the data directly via a SQL query to accomplish this. I merely need to match-up my object names and related object security from PROD to the object_id's and group ID's in Dev (which are slightly different due to dev and prod security being out of sync)
Any thoughts on what could go wrong??
Jeff

Resources for creating secure Flash content?

I am looking for any articles, tutorials or other resources
for creating secure Flash content. Maybe even a "best practices"
article? I am looking to create a login, I need to store users,
register users and secure the content.
Thanks in advance for any time of help with this.
|rossimo|

Hi again Nick
I dunno, perhaps I'm too practical and that holds me back. But I see things this way. If you are just trying to come to terms with Captivate, why complicate matters further by tossing Flash into the mix. I mean, I'm assuming that Flash itself has its own nuances and ways of working. So you really have to first have a real tight handle on how it works. THEN you want to mix in Captivate. And Flash seems to have it's own way of dealing with the Captivate stuff. Inevitably Captivate seems to impose it's own "weirdness" on things. So my goal is to stay as simple as I can unless I really need to step beyond what the basics offer. Then I am keenly aware that the road I'm choosing to travel is fraught with pitfalls that won't be easy to discern or overcome.
I have to ask myself if the possible benefit warrants the extra effort involved.
Cheers... Rick
Helpful and Handy Links
Begin learning Captivate 5 moments from now! $29.95
Captivate Wish Form/Bug Reporting Form
Adobe Certified Captivate Training
SorcererStone Blog
Captivate eBooks

Resource estimation/Sizing (i.e CPU and Memory) for Oracle database servers

Hi,
I have came across one of the requirement of Oracle database server sizing in terms of CPU and Memory requirement. Has anybody metalink notes or white paper to have basic estimation or calculation for resources (i.e CPU and RAM) on based of database size, number of concurrent connections/sessions and/or number of transactions.
I have searched lot on metalink but failed to have such, will be great help if anybody has idea on this. I'm damn sure it has to be, because to start with implementation of IT infrastructure one has to do estimation of resources aligned with IT budget.
Thanks in advance.
Mehul.

You could start the other way around, if you already have a server is it sufficient for the database you want to run on it? Is there sufficient memory? Is it solely a database server (not shared)? How fast are the disks - SAN/RAID/local disk? Does it have the networking capacity (100mbps, gigabit)? How many CPUs, will there be intensive SQL? How does Oracle licensing fit into it? What type of application that will run on the database - OLTP or OLAP?
If you don't know if there is sufficient memory/CPU then profile the application based on what everyone expects, again, start with OLTP or OLAP and work your way down to the types of queries/jobs that will be run, number of concurrent users and what performance you expect/require. For an OLAP application you may want the fastest disks possible, multiple CPUs and a large SGA and PGA (2-4GB PGA?), pay a little extra for parallel server and partitioning in license fees.
This is just the start of an investigation, then you can work out what fits into your budget.
Edited by: Stellios on Sep 26, 2008 4:53 PM

Developer 2000 forms for95/NT won't link my oracle 8i for 98 database, Y?

hello world,
It is better to create a sequence of primary keys on a table for
eventually use for building forms and does it really not matter.
Secondly, i have oracle8i Personal edition installed in my
orahome8i area and also did managed to install Developer 2000
in this same home area but would not run.
As I could notice, does it really matter if I have installed
developer 2000 with an older version of SQLplus and whenever i
try to log into my 8i database, it comes up with a TNS bla bla
bla not found.
How do i go about getting my Developer 2000 for win95/NT to hook
up to an entirely differently installed oracle 8i for win98
database.
I have tried removing the key from the registry and deleting
some bits of my autoexec.bat file but still to no avail.
Will i be able to download a compatible version or is it just
about me.
much appreciation.
Ayo show

My guess would be that you still have some remnants of your old "personal" installation, and your new Enterprise installation of 9i is finding the DLL from the old installation.
Make sure you un-install the old Oracle installation first, and delete all oracle directories for good measure.

ORA-00001: unique constraint during "Configure Database Security Store for OIM Domain"

Hi Guru's,
I am following the below steps for OIM 11.1.2.1 with SOA 11.1.1.7 Installation and facing below error during step "Configure Database Security Store for OIM Domain".
Installed Database 11.2.0.3
Installed RCU (Here I used two versions.
RCU 11.1.2 - Used IDAM prefix for (Metadata Services, OPSS, OIM)
RCU 11.1.1.7 - Used SOA prefix for(Metadata Services,SOA Infrastructure, User Messaging service)
Installed JDK 7 (Java 1.7)
Installed WL 10.3.6 (MW_HOME-/u01/Middleware/fmw, WL_HOME=/u01/Middleware/fmw/wlserver_10.3)
Installed FMW 11.1.2.1 for OIM. (ORACLE_HOME=Oracle_IDM1)
Installed FMW 11.1.1.7 for SOA (ORACLE_HOME=Oracle_SOA1)
WL Domain creation. (Domain Name – idam_domain1)
Configure Database Security Store for OIM Domain.
Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (IDAM_OPSS.IDX_JPS_RDN_PDN) violated
Also followed the below bug solution, but issue still occurs.
Bug 16690836 : CONFIGURE DATABASE SECURITY STORE (CONFIGURESECURITYSTORE.PY) SCRIPT IS FAILING
@ 1. Delete the Schemas using RCU.
@ 2. Recreate the OAM schemas.
@ 3. Reinstall the WLS and OAM software.
@ 4. Run config.sh to create a new domain.
@ 5. Run setDomainEnv.sh from user_projects/domains/<Domain_name>/bin
@ 6. Run the configureSecurityStore.py from same window.
Not sure if anyone tried with different steps that fixed the issue? Could you please help.
Thanks
VG

Hi Gurus, I got the solution from Oracle. SOA 11.1.1.7.0 shouldn't be used with Identity Management 11.1.2.1.0(11GR1-PS1) version. Identity Management 11.1.2.1.0(11GR1-PS1) is bundled with SOA 11.1.1.6.0. When used this SOA version, Installation went smooth. Thanks VG

Is it possible to use markers in a Premiere Pro sequence such as Chapter / Comment / Segmentation and export the XMP metadata for a database so that when the video is used as a Video On-Demand resource, a viewer can do a keyword search and jump to a relat

Is it possible to use markers in a Premiere Pro sequence such as Chapter / Comment / Segmentation and export the XMP metadata for a database so that when the video is used as a Video On-Demand resource, a viewer can do a keyword search and jump to a related point in the video?

take have to take turns
and you have to disable one and enable the other manually

PRCD-1120 : The resource for database dwhpd1 could not be found.

OEL 5.1
11.1.0.6 Oracle database RAC
11gR2 Grid
Hi,
I have installed 11gR2 grid with ASM and restored/recoverd a 11gR1 database. The 1st node is up using asm but when I check with svrctl I get errors :
[oracle@avgrac01 admin]$ /u01/app/11.2.0/grid/bin/srvctl status database -d dwhpd1
PRCD-1120 : The resource for database dwhpd1 could not be found.
PRCR-1001 : Resource ora.dwhpd1.db does not exist
I have read that it's something to do with SCAN and the remote listeners.
Please can someone point me in a direction/document/help, please

798188 wrote:
OEL 5.1
11.1.0.6 Oracle database RAC
11gR2 Grid
Hi,
I have installed 11gR2 grid with ASM and restored/recoverd a 11gR1 database. The 1st node is up using asm but when I check with svrctl I get errors :
[oracle@avgrac01 admin]$ /u01/app/11.2.0/grid/bin/srvctl status database -d dwhpd1
PRCD-1120 : The resource for database dwhpd1 could not be found.
PRCR-1001 : Resource ora.dwhpd1.db does not exist
I have read that it's something to do with SCAN and the remote listeners.
Please can someone point me in a direction/document/help, pleaseHi,
This error means database is not registered in OCR
If the database was not registered in the OCR, after restoring the database you must manually add the database in the OCR (add database and instances)
http://download.oracle.com/docs/cd/E11882_01/rac.112/e16795/srvctladmin.htm#RACAD5011
http://download.oracle.com/docs/cd/E11882_01/rac.112/e16795/srvctladmin.htm#i1008526
About integrate 11.1 with SCAN 11.2 you must use note below:
How to integrate a 10g/11gR1 RAC database with 11gR2 clusterware (SCAN) [ID 1058646.1]
Hope this helps,
Levi Pereira

Resource for Flash Forms?

I have a new application assignment and want to give it a try
with Flash forms. Can anyone suggest a tutuorial or *gasp* a book
that covers flash based forms in CF development?

tclaremont wrote:
> I have a new application assignment and want to give it
a try with Flash
> forms. Can anyone suggest a tutuorial or *gasp* a book
that covers flash
> based forms in CF development?
i guess it depends on your needs but these days i'd just go
w/flex. plenty of
resources for that.

Cannot enable IORM on OEM , kept getting:Resource cannot allocated for a database

Oracle Exadata X4, trying to allocate IORM through OEM 12c.
After chose the database, disk io allocation % and io allocation limit %, when I click update, it kept giving me this error: Resource cannot allocated for a database
I want to know if IORM is already setup or not, if not , how do I get it set?
Thanks in advance.

Hi user569151 -
I have configured IORM from the command line, cellcli, a number of times but haven't used OEM to set it up. IORM plans are setup on the Exadata storage cells and unlike its counterpart, DBRM, it manages workloads across databases not internal to a single database.
To see the current IORM plan and see if it is active and has an objective - which are required for IORM to start managing IO resources and before any inter-database or category plans can be created - you can use the following cellcli command:
cellcli -e list iormplan detail
This can be executed from the linux command line on each of the storage cells... or even better, if you have dcli setup you can execute it for all your storage cells at once from the linux command line of one of your compute servers, e.g.:
dcli -g cell_group cellcli -e list iormplan detail
You can then determine if you need to activate it, set an objective and then can look into creating your inter-database and/or category IORM plans. Look at the following MOS notes for some information on creating IORM plans:
Configuring Exadata I/O Resource Manager for Common Scenarios [ID 1363188.1]
Configuring Resource Manager for Mixed Workloads in a Database [ID 1358709.1]
Hope that helps get you started. Good luck!
-Kasey

Default database for forms server

i just installed oracle forms 6i and the oracle forms server and i don't know what the default database string is for the test database? the scott/tiger one? can someone help me?

Default Port number for Forms Server is 9000.

Using container managed form-based security in JSF

h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
    <navigation-rule>
<from-view-id>/login.jsp</from-view-id>
        <navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
        </navigation-case>
    </navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
    <jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
    <f:view>
        <webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
        </webuijsf:page>
    </f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
    public String button1_action() {
        setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
        return "loginproxy";
    }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry Randolph

If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry

Form based security in WebLogic 7.0

I'm sorry for the beginner level question, but I seem to be missing a critical step
in getting Form based security to work. I have a Web application comprised of several
JSPs. I want to attache simple FORM based security contrainsts to all pages in the
app. Here are the exceprts from my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>DTSTAT</web-resource-name>
<url-pattern>/StateServlet/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Sysops</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/StateServlet/login.html</form-login-page>
<form-error-page>/StateServlet/login-error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Sysops</role-name>
</security-role>
The app deploys correctly and I have verified that the constrinsts, etc. are recognized
by WebLogic by inspecting the content displayed from the Admin console under the
"Edit Web Apllication Deployment Descriptor" link - all looks as I had expected and
matches the XML configuration above.
I then use the "Define Resources and Roles for Web Resource Collections" link. Under
the "Define Policies" section I see the constraints as defined above. I then use
the "Define Roles" link to define the "Sysops" role for this application and add
the condition "Caller is a member of the group" and use Administrators as the Group.
From this point, I invoke one of the JSPS in the app and presented with the Login
page as expected. However, no matter what I enter for user and password, I always
get the login-error page back. I'm purposely trying to keep this simple so that
I can use the system user as a test case (who is a member of the Administartors group).
However, I have also created an additional separate user and added them to the Administartors
group as well with the same unsuccessful results.
Can anyone help me out please? I've been reading the docs and seem to be missing
a key element somewhere.
Thanks in advance,
Todd

          Try to refer to the documentation for
          Configuring Security in Web Applications at
          http://e-docs.bea.com/wls/docs70///webapp/security.html
          Does the weblogic.log file contain any error or warning
          messages corresponding to your problem ?
          If you have a test case to reproduce the problem, you
          can contact BEA support at [email protected]
          Thanks
          Developer Relations Engineer

Resource for Forms/Database Security

Similar Messages

Maybe you are looking for