Secure login form as part of a not-secure page
I know how to make a login page secure via SSL, and I also know how to do a login box on the other application pages that aren't secure. What I can't find out how to do -- or if it is even possible -- is to make a secure (via SSL) login box on a page that otherwise is not downloaded via SSL. Does anyone know how this might be done? I don't want to just force the whole application page to go via https.
If this is possible there would have a way to tell the browser to include (via JSP include tag?) a page at a URL starting with https: inside a table box or something. I'm using JSF but would be willing to script at a low level if I knew which way to go.
Please search the net. It have your solution as i told earlier . Keyword you can use: secure ajax login
Excerpt from a page which also contain the source code of what said below.
1) You signal that you intend to log in by focussing on the username or password text box on the page.
2)The server then obtains a random number ("seed" in the code) for the transaction that will be used only for the current transaction, and once the transaction is complete, the seed is useless. (Note this means that if data is intercepted, it cannot be reconstructed to log in the user that was intercepted.)
3)Once you enter a username and password, the server md5 hashes your password, and then md5 hashes that hash with the seed, and sends thi to the server for authentication (along with your username and the id of the transaction).
4)The server compares the hash it recieved with the hash of the password hash stored in the database concatenated with the seed for the transaction given by the id from the client.
5)If these two hashes match, the user is logged in. Otherwise, the appropriate error message is sent back to the client.
i will not give you the link of above page. Better you find it yourself such pages.
Similar Messages
-
Hello
I am a really newbie in web programming. I want to write a web application with JSF. I wonder what is the rgiht way of creating the login form. I tried to write a page segment file for it but page segments do not have prerender method so it cannot be fully controlled...I want something like that:
login control will be two parts..
if login info is not found in session, than it will show the login form.
if the user is found in session, than it will show the menu for the user...
but i couldnt do that because prerender methos is not available in page segments..
what is the right way for doing that kind of thing?Indeed implement a Filter.
Once an user logs in, put the User object in the HttpSession. Let the filter check on this User object. If this User object is null and you're not in the login page, then redirect to the login page.
Do a Google search on "LoginFilter implements Filter" or "UserFilter implements Filter" and you'll find lot of examples.
http://www.google.com/search?q=%22LoginFilter implements Filter%22
http://www.google.com/search?q=%22UserFilter implements Filter%22
Here is an advanced one which actually doesn't redirect if the User object doesn't exist, but this might give you some new insights: http://balusc.xs4all.nl/srv/dev-jep-usf.html -
OAM 10g - access to resource is not authorized, but no login form displayed
Hi,
Here's another one. Let's say I access some (protected) page which redirected me to login form page. Login form page immediately creates a obssocooke (for user obanonymous). Instead of logging in, I just change URL to my protected application (I actually did it because I changed my mind and not while purposely testing).
I am getting "not authorized" error, instead of being redirected to login page. This is very confusing and bad user experience. The obssocookie appears to point to a valid session (I checked status in my app for user session and it appears to be ObUserSession.LOGGEDIN) but obviously the user anonymous is not authorized.
So the question is - Is there any way OAM would not create a valid session cookie for anonymous user when I just load login form page? How do you guys solve this issue? Should I somehow use auth level?
Thanks,
AlexHi Sagar,
What you've described is exactly my intention. I want only users with auth level > 0 to access the protected application. Plus for the resource I define my form based login as default authentication scheme (which has level=1). I think that the issue is that I protect the application with my own access gate (not a web gate). And there I have the following logic:
if(sso cookie is present and status of the session = "logged in") then validate whether user has access to the requested resource. So in my case the sso cookie is found, and belongs to anonymous user, session state = logged in, and I fail at authorization check. I think I need to implement some kind of auth level check, or compare actual user's auth scheme with the one required for the resource, right?
Thanks,
Alex -
Infopath Form Web Part not showing form
Hello,
I recently edited a list form in a InfoPath 2010 and published it to my site. When clicking on "Add new item" it works fine. The new form shows up and all is well. The idea though was to enable the form from a separate page by using
the InfoPath Form Web Part. We have other forms setup this way on our site that work fine, but for some reason, when I added the web part to the page, pointed it at the list and set the custom content types (only single option anyways as the list is
built on a custom content type) nothing is displayed within the web part.
I can't find any difference between my form and the already created forms, but as I didn't create the ones that are working I may have missed some setting. There is no error, no message, just a blank web part... Actually, that's not true. When I
check in the page I see nothing. But when I publish it, I see only a close link and a bit of a header div.
If anyone would happen to have seen this before, know what it is or know how to fix it I would be greatly appreciative.
Thank you.Hi David,
From your description, you published an InfoPath form to SharePoint list, and it worked well in the list. However, when you added an InfoPath form web part to another page, it displayed as image.
I could not reproduce the issue, I just selected list and content type, left all other settings as default, it displayed as expected. Did I miss anything during reproducing your issue? Did you make any customization to web part or InfoPath form?
Regards,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] .
Rebecca Tu
TechNet Community Support -
How do I redirect a secure zone login form with javascript?
I would like to redirect what page a user goes to after filling out the secure log in form. I would change the landing page of the secure zone, but I need a log in form to go to a different page of the site. I would also create a seperate secure zone, but I have almost 3000 subscribers and it would be very time consuming to add all those users to this new zone.
I would like to redirect the user (using the form from a secure zone) to a different page other than the landing page of the log in form. How do I do this with javascript?
I saw this page: http://kb.worldsecuresystems.com/598/bc_598.html#main_Logging_into_different_Secure_Zones_ according_to_ID_number but couldn't make sense of it for my current situation. (I don't need multiple zones, just the form to redirect to a different page after submission)
<form action="https://redlakewalleye.worldsecuresystems.com/ZoneProcess.aspx?ZoneID=12369&Referrer={module_siteUrl,true,true}&OID={module_oid}&OTYPE={module_otype}" method="post" onSubmit="return checkWholeForm52938(this)" name="catseczoneform52938">
<div class="form">
<div class="item"><label for="SZUsername">Username</label><br />
<input type="text" maxlength="255" id="SZUsername" name="Username" class="cat_textbox_small" /></div>
<div class="item"><label for="SZPassword">Password</label><br />
<input type="password" autocomplete="off" maxlength="255" id="SZPassword" name="Password" class="cat_textbox_small" /></div>
<div class="item"><input type="checkbox" id="RememberMe" name="RememberMe" /><label for="RememberMe">Remember Me</label></div>
<div class="item"><input type="submit" value="Log in" class="cat_button" /> <a href="/_System/SystemPages/PasswordRetrieveRequest">Lost password?</a></div>
</div>
<script type="text/javascript" src="/CatalystScripts/ValidationFunctions.js"></script>
<script type="text/javascript">
//<![CDATA[
function checkWholeForm52938(theForm){
var why = "";
if (theForm.Username) why += isEmpty(theForm.Username.value, "Username");
if (theForm.Password) why += isEmpty(theForm.Password.value, "Password");
if (why != ""){alert(why);
return false;
// Add the redirect code here?
theForm.submit();
return false;
//]]>
</script>
</form>I've been working on the same thing and have nearly solved it with these tutorials:
http://www.bcgurus.com/tutorials/re-directing-users-to-the-correct-secure-zone
http://www.bcgurus.com/tutorials/building-a-better-secure-zone-login-page
The first tutorial will let a person continue on to the page he/she was attempting to access. For example, if your site offers learning lessons in a secure zone... A visitor could click on a lesson, get prompted to login and then be redirected to that particular lesson instead of the landing page for the secure zone. The script in the tutorial also accommodates general logging in: "if the person wasn't going somewhere specific then send him/her here (landing page, user account, whatever).
Might be worth checking out the free BCGurus trial or joining for a month.
Brian -
Multiple Secure Zones with a Single Login Form
Hello, I've created a login form and 20 different secure zones. I am needing to redirect users to their own personal secure zone automatically once they login (without the need for them to choose the secure zone) Can you please let me know how this can be done? Thank you much
Hi
The main difference is :
Using generic secure zone login option : When customer logs in , he stays on the same page. I mean , Generic secure zone in BC doesn't support redirect to other pages . However, he will have access to all the pages that were in other secure zones to which he actually subscribed to.
Using Specific secure zone login form, you have option to redirect the user to specific landing page and user will have access to data that is placed in this specific secure zone.
You may locate the Generic secure zone login form in toolbox > site modules > secure zones > sign in form > as shown in below screenshot : -
How to print password_grace_time message on login form
hi,
we are running our application on 6i there we have a login form . we have set profile for a user & we want to show password_grace_time message ( ora-28002 ) on his login form when he try to login in grace time. how can we do this?
regardsI would just ask the 3rd party that created the PDF if they could supply unencrypted files. If there is some reason they will not, I am surprised that they have not restricted printing. Normally when Acrobat security is set, you can not print to a new PDF, even if printing is allowed. One option is to provide the ID and password to the other folks who need to review the PDFs. On the surface, there seems to be a license issue with what you are trying to do and you may need to be careful that the company is not at risk. That is why I am suggesting to coordinate with the 3rd party.
Sorry. I don't have a solution but just the statement of concern. -
Help with Login Form (JSP DB Java Beans Session Tracking)
Hi, I need some help with my login form.
The design of my authetication system is as follows.
1. Login.jsp sends login details to validation.jsp.
2. Validation.jsp queries a DB against the parameters received.
3. If the query result is good, I retrieve some information (login id, name, etc.) from the DB and store it into a Java Bean.
4. The bean itself is referenced with the current session.
5. Once all that's done, validation.jsp forwards to main.jsp.
6. As a means to maintain state, I prefer to use url encoding instead of cookies for obvious reasons.I need some help from step 3 onwards please! Some code snippets will do as well!
If you think this approach is not a good practice, pls let me know and advice on better practices!
Thanks a lot!Alright,here is an example for you.
Assume a case where you don't want to give access to any JSP View/HTML Page/Servlet/Backing Bean unless user logging system and let assume you are creating a View Object with the name.
checkout an example (Assuming the filter is being applied to a pattern * which means when a resource is been accessed by webapplication using APP_URL the filter would be called)
public doFilter(ServletRequest req,ServletResponse res,FilterChain chain){
if(req instanceof HttpServletRequest){
HttpServletRequest request = (HttpServletRequest) req;
HttpSession session = request.getSession();
String username = request.getParameter("username");
String password = request.getParameter("password");
String method = request.getMethod();
String auth_type = request.getAuthType();
if(session.getAttribute("useInfoBean") != null)
request.getRequestDispatcher("/dashBoard").forward(req,res);
else{
if(username != null && password != null && method.equaIsgnoreCase("POST") && (auth_type.equalsIgnoreCase("FORM_AUTH") || auth_type.equalsIgnoreCase("CLIENT_CERT_AUTH")) )
chain.doFilter(req,res);
else
request.getRequestDispatcher("/Login.jsp").forward(req,res);
}If carefully look at the code the autherization is given only if either user is already logged in or making an attempt to login in secured way.
to know more insights about where these can used and how these can be used and how ?? the below links might help you.
http://javaboutique.internet.com/tutorials/Servlet_Filters/
http://e-docs.bea.com/wls/docs92/dvspisec/servlet.html
http://livedocs.adobe.com/jrun/4/Programmers_Guide/filters3.htm
http://www.javaworld.com/javaworld/jw-06-2001/jw-0622-filters.html
http://www.servlets.com/soapbox/filters.html
http://www.onjava.com/pub/a/onjava/2001/05/10/servlet_filters.html
and coming back to DAO Pattern hope the below link might help you.
http://java.sun.com/blueprints/corej2eepatterns/Patterns/DataAccessObject.html
http://java.sun.com/blueprints/patterns/DAO.html
http://www.javapractices.com/Topic66.cjp
http://www.ibm.com/developerworks/java/library/j-dao/
http://www.javaworld.com/javaworld/jw-03-2002/jw-0301-dao.html
On the whole(:D) it is always a good practice to get back to Core Java/J2EE Patterns.and know answers to the question Why are they used & How do i implement them and where do i use it ??
http://www.fluffycat.com/java-design-patterns/
http://java.sun.com/blueprints/corej2eepatterns/Patterns/index.html
http://www.cmcrossroads.com/bradapp/javapats.html
Hope that might help :)
REGARDS,
RaHuL -
I have a problem that just started. When goto a page (/faces/home.jspx) it brings up the login form as usual. I login and it sends me to a 404 page not found error. I click back, and then it'll bring me to the home page. Not sure why this is bringing up the 404 page.
If i change from form based to http basic, then it prompts me for my password and brings up the home page. Any ideas why the 404 is coming up?For the benefit of others here is the JSP/JSTL & javascript solution.
This allowed me to create an automated login and use declarative security ...
The following code requires param.UserID and param.PassWord to be set before it is executed...
<form name="AutoLogin" method="POST" action="j_security_check" >
<input type="hidden" name="j_username" value="<%= request.getParameter("UserID") %>" size="8" maxlength="8" />
<input type="hidden" name="j_password" value="<%= request.getParameter("PassWord") %>" size="8" maxlength="8" />
</form>
<script type="text/javascript" language="JavaScript">
document.AutoLogin.submit();
</script> -
Bookmarking a login form in OAM
In OAM, if a user attempts to access a secured resource, OAM redirects to a unsecured login page. Life is good.
If a user directly navigates to the login form, however, OAM is unaware of the navigation (no obsso cookie) and the subsequent post to the Webgate fails to authenticate the user. It is exceedingly common for users to bookmark a login page. Is there any workaround for this problem?Regarding "the redirects could start to add up" - even OAM uses redirects to route users to the target URLs after form authentication, so how is this different.
And from OAM's point of view, the form should not be protected or should be protected by anonymous authentication - so how is OAM supposed to know where to send the user if a user directly navigates to the form via a bookmark or typing out the URL.
Generating the ObFormLoginCookie if one is not found or is found to have value "done" seems like the best option here. However, you will need to adjust the path such that the ObFormLoginCookie sent during normal authentication can be read by the form as well.
On another note, I have heard that the 11g releases would allow you to bookmark the login page - I don't know the exact semantics of how this would work yet.
-Vinod -
Muse/BC Bug: Secure page web form in BC gets deleted everytime I publish
I have a secure page signup form that I have placed using a content holder in BC and inserted in Muse. Every time I make correction in Muse and republish, the webform is deleted from the list webform at the BC side. This is the error I got when I tested the signup form:
ERROR: You have deleted your web form. Please login to the Admin panel of your website and remove the previously submitted form from the web page you last visited. You will need to recreate this web form by going to Modules -> Webforms. After recreating simply insert this new web form into the web page and your web form should work properly.I have followed these steps and still continue to get the following error message:
ERROR: You have deleted your web form. Please login to the Admin panel of your website and remove the previously submitted form from the web page you last visited. You will need to recreate this web form by going to Modules -> Webforms. After recreating simply insert this new web form into the web page and your web form should work properly.
When I published the BC form on a page and submitted it, I got the following message:
Credit Card Payment Failed
There was an error processing your credit card. Please correct this and try again.
ERROR: An error occurred while processing credit card
Non-seamless gateway with no shopping cart not supported. Error
Please go back and correct this.
Any suggestions? -
I found a really cool registration form plugin @ http://jqueryvalidation.org/files/demo/milk/ and figured out how to connect it to a database. Then I started searching for a login form tutorial. It was kind of tricky because most tutorials are pre-PDO; in other words, they only work with MySQL queries that have been upgraded to PDO.
But I finally found a good example at Basic Login Authentication with PHP and MySQL
I got it up and running, but there's a catch - it won't work with my registration form. If I type in my_username, my_password in my registration form, those two values are published to the database. But the login form apparently works only with values that have been added via an attached add_user page. If you type in those same values, my_username is published to the database table, but my_password is replaced by some insanely long code, like this: 5c4ed510fef54a63a2211ca47d5c82736de69418
You can then login by typing in my_username and my_password, even though my_password isn't stored in the database table. I think this code at the head of one of my files explains it all:
session_start();
/*** set a form token ***/
$form_token = md5( uniqid('auth', true) );
/*** set the session form token ***/
$_SESSION['form_token'] = $form_token;
So here's my question: Should I try to figure out how to delete all this $form_token/md5 stuff so it will work with my jQuery registration form, or should I try to modify my cool registration form so it replaces passwords with form_token's? To put it another way, is this a standard security feature I should hang on to?
One problem is that, if a user loses their username, I won't be able to send them a reminder if no usernames are stored in the database table. All I do is send them some insanely long code and tell them to figure it out.
Thanks.I haven't gone through the whole article, but enough to know that a human readable password gets coded using md5 coding as in
$form_token = md5( uniqid('auth', true) );
This provides extra security in case someone manages to get into the database to retrieve the usernames and related passwords.
The idea is that a user enters his/her credentials and the coded version of the password is compared to the database entry. If they match, then bingo! There is no way of deciphering the code to extract the human version; if the coded version is entered, it will not match the database entry.
It is up to you if you want to delete the md5 coding. -
Trying to create a login form using j_security_check
Ok, here's the deal.
I have a login.jsp that uses the j_security_check. The page works great if I request a protected resource and the container forwards me to the login page.
However, if I access the login page directly "http:/server/app/login.jsp" and submit the form I get a 404 "Page not found" error. This really stinks because I need to add the login fields to the index page of the site and allow people to login at their discreation (only peices of the site are protected, but unprotected pieces have different functionality for logged in users). From personal experience Tomcat, JRun and WebSphere allow you to post to the j_security_check uri at anytime. What's the deal?Steve,
Directly going to login page will not work because "j_security_check" cannot work independently and is supposed to work in conjuction with a protected URL.
I looked at Servlet specification (Section 11.5.3 of Servlet 2.2) and this does not say anything about directly going to login page.
You can create an index page and have that secured and whenever users can try to access that page they will be forwarded to the login page.
You may use Programmatic Security if Declarity security is insufficient for you.
regards
Debu -
I want to design a login form on my website, can I do it without coding in Muse?
I want to design a login form on my website, can I do it without coding in Muse? And if I want to set an Email function within my website, can I still use Muse?
ThanksHi Wenshu... I am sure someone will be along here shortly with a "right" answer, but here is my 2 cents. On part 2 of your question, I just say something like "Click HERE to e-mail me" and on the HERE part, I type the link mailto:[email protected] (filling in your actual e-mail address, of course AND no matter how many times I try to edit this, it still keeps putting the hyperlink in my response here!!! That entire link has no spaces... that envelope icon is supposed to be helpful, but it's making me nuts) in the hyperlink box at the top of the Muse design page so that the person's default e-mail client will pop up to send me an e-mail when they click on that link on my site.
As far as part one goes, I don't do any login forms.... but I do create and use long forms for like applications and whatnot and I do have to code them outside of Muse because when I try to drop the code into the HTML box, it ends up not looking right. I look forward to hearing the replies on the login box issue.
Good night. -
Hi all,
I want to control my website so that all pages require a logged in user, some pages are only visible for certain roles. In the web.xml description there is a remark for the <login-config> element:
If this element is present, the user must be authenticated in order to access any resource that is constrained by a <security-constraint> defined in the Web application. Once authenticated, the user can be authorized to access other resources with access privileges.
one for all pages:
<security-constraint>
<web-resource-collection>
<web-resource-name>all pages</web-resource-name>
<description>desc</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
one with restriction for roles:
<security-constraint>
<web-resource-collection>
<web-resource-name>role rescricted</web-resource-name>
<description>...</description>
<url-pattern>/control/requirements/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>aRoleName</role-name>
</auth-constraint>
</security-constraint>
my <login-config> element:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/control/Login</form-login-page>
<form-error-page>/control/Login</form-error-page>
</form-login-config>
</login-config>
The role restriction works fine. But also a user who is not logged in, can access the other pages and is not redirected to the login page.
Any ideas??The Security-constraint for "all pages" doesn't specify an auth-constraint ie no role. I think that the default role is applied ie "Anonymous" which is everyone in the special group called "everyone" which course includes all not logged in users.
create a role in your weblogic.xml called Users and make it contain the principal "users" which is a default group of all authenticated users.
Then add the role "Users" to the "all pages" constraint, it will force an authentication.
for info on default groups see:
http://e-docs.bea.com/wls/docs81/secwlres/usrs_grps.html#1179347
Note that if you create your own Authentication Provider you should probably make it add the WLSGroup principal "everyone" an "users" as well as other groups when a user sucessfully logs in. NB the groupname "everyone" is not guaranteed and you should get the principal name of the everyone group from API:
weblogic.security.WLSPrincipals.getEveryoneGroupname() or
weblogic.security.WLSPrincipals.getUsersGroupname()
cheers
Karl
Maybe you are looking for
-
Hello, I just set my new system up: P35 Platinum (v1.0 BIOS) Q6600 2gig Gskill 8800GTS X-Fi Vista Home Premium I upgraded from a an Opteron 165 system that had shown both cores. Do I need a BIOS update? I've actually been trying for the past hour to
-
I'M TORN BETWEEN THE IPHONE4 OR SAMSUNG GALAXY S3? HELP WHICH ONE SHOULD I BUY AND WHY.....THANKS GUYS
-
No option on my itunes page for prepaid cards
I have an existing account with a credit card, but I want to use a prepaid card. When I look at my itunes page, I don't see any place to click on "prepaid cards" like everyone is saying you are supposed to do. I don't have that option on the left sid
-
tryed to download personas but keeps say un compatable.but it say they are with 15.1.0
-
Can't run some programs after system restore to remove virus
Hi, My duaghter's Toshiba had a nasty virus that pretended to be an antivirus software product, that snuck in, between the time her default Norton service expired and I had the time to install Trend. Could not remove it using Trend, so upon advice fr