Security - Password Expiration with Form Base Authentication

Hi everbody,
I have configured the security of my application and this works
fine.
I configured the roles and match roles with groups defined in my
LDAP
I used the form base authentication. Perfect, but now I configure in
LDAP
that the user password can be expired, and the user can change password.
My problem is when the user try to log at my application and the
password was expired, I need to allow that user change the password
( showing another pag, and ask about the new password).
Nowadays when the user try to log and the password was expired the
page that I have set for my login error page (form base authentication)
is call, this page is call if the user is invalid or the password is
invalid too.
I have try to get the exception at this page using :
String codeObj =
req.getAttribute("javax.servlet.error.status_code");
String messageObj =
req.getAttribute("javax.servlet.error.message");
String typeObj =
req.getAttribute("javax.servlet.error.exception_type");
But all of this String are null. It's independent if the user is
invalid or the password or either if the password was expired.
I always get this null Strings. But if the person isn't authorized I
call another pag and at this time I can get the code, message
and the exception type
So my question is how can I treat this ? how can I get this kind of
exception ?
I also make a java application that only try to connect with Ldap,
and if the password is expired
I can get the com.netscape.LDAPExpection with code 45 and message
Invalid Credential.
Is it impossible to get this exception in my actual solution ? I
need to make one component for that ?
Someone can help me ?
Any tip will be good !!
Thanks
Daniela Pistelli Gomes
Technical Consultant
Summa Technologies
http://www.summa-tech.com

Hi Robert,
thanks very much for ur pointers on the AuthFilter class.. will try that out.
Robert Greig <[email protected]> wrote:
Stephen wrote:
I am using WLS 6.1 and tried using a custom filter to intercept theauthentication
request submitted from a FORM BASE jsp (using the j_security_checkform).
However, no matter what i've tried, it is always the authenticationpart that
gets executed before the filter.
Any idea how could I intercept the request before the j_security_checkservlet
calls the security provider for authentication?There is a (now deprecated) class weblogic.servlet.security.AuthFilter.
I haven't used it because it is deprecated but I think it does what
you're after.
In my apps, I make the FORM auth submit to my own servlet which can then
do what j_security_check does (most although not all is accessible
through public APIs).
Robert

Similar Messages

How To Use HttpUnit With FORM-based Authentication?

I'm just getting started with HttpUnit, and I'm having a problem:
How does one use HttpUnit with FORM-based authentication?
I have a Web app where I specify a number of protected URLs. When a user tries to invoke one of them in a browser, Tomcat 4.1.30 brings up a login page that I specified and asks for a username and password. The values given by the user is checked against the tomcat-users.xml file. If the user is valid, Tomcat
forwards the response from the original request. If invalid, an error page is displayed. The user is considered valid until either the session times out or the browser is closed.
Does HttpUnit have to log into the app every time I run a test? How does it manage subsequent pages after login?

I don't think that's true. HttpUnit is 100% Java and based on JUnit. HttpUnit has nothing to do with Apache, AFAIK. HttpUnit is for unit testing servlets and JSPs. Apache is a Web server. It doesn't have a servlet/JSP engine, unless you bolt Tomcat on top of it.
Perhaps we're talking about two different packages. - %

Issue with form based Authentication in three tier sharepoint 2013 environment.

Hi,
We are facing issue with form based Authentication in three tier environment.
We are able to add users to the database and in SharePoint.
But we are not able to login with created users.
In single tier everything working fine
Please help , Its urgent ... Thanks in advance.
Regards,
Hari
Regards, Hari

if the environments match, then it sounds like a kerberos double-hop issue
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs

Ask for help with form based authentication & authorization

Hi:
I encountered the following problem when I tried the form based authentication & authorization (see the attached part of the config files, web.xml, weblogic.xml & weblogic.properties)
1. authorization seems not invoked against the rules specfied, it doesn't go the login error page as long as the user/pwd match, even though the user does not have the necessary role
in the example below, user3 should be denied to access the signin page, but seems no login error page returned, actually I never see any page / error message which complain about the authorization / access control error
2. after authenticate correctly, always get redirected to the / (context root) url, instead of the url prior the login page, for e.g., signin page
Any idea ?
Thanks in advance.
HaiMing
attach config files
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureBit1</web-resource-name>
<description>no description</description>
<url-pattern>/control/signin</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/control/formbasedlogin</form-login-page>
<form-error-page>/control/formbasedloginerror</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>the customer role</description>
<role-name>customer</role-name>
</security-role>
weblogic.xml
<security-role-assignment>
<role-name>
customer
</role-name>
<principal-name>
customer_group
</security-role-assignment>
weblogic.properties
weblogic.password.user1=user1pass
weblogic.password.user2=user2pass
weblogic.password.user3=user3pass
weblogic.security.group.customer_group=user1,user2

Hi, Paul:
Thanks a lot for your reply.
Firstly let me just correct a little in the attachment I put previously, I think I missed following lines :
<auth-constraint>
<description>no description</description>
<role-name>customer</role-name>
</auth-constraint>
So, user1 & user2 are in the customer group, but user3 not, and /control/singin is protected by this security constraint, as a result, when anyone click the link to /control/singin, he was led to the login page, if he tries to login as user1 & user2, he should pass & led to original page (in this case /control/singin, and my code's logic, once /control/signin is used, means that he already login successfully & redirected to the login success page), but if he tries to login as user3, he should only pass the authentication check, but fail the authorization check, and led to login error page.
What not happen are :
1. user1 & user2 pass, but redirect to /
2. user3 also pass, because I see that debug message shows also get redirected to /, instead of login error page
(login error page will be displayed, only if I try to login as a user with either wrong userid, or wrong password)
3. one more thing I notice after I first time post the message, the container does not remember the principal, after 1. is done, not even for a while
And the similar configuration works under Tomcat 3.2.1, for all 3. mentioned above.
Any idea ?
HaiMing
"Paul Patrick" <[email protected]> wrote:
If I understand what your trying to do, everyone should get access to the
login page since roles are not
associated with principals until after they authenticate. If I follow what
you specified in the XML files,
authenticated users user1 and user2 are members of a group called
customer_group.
The principal customer_group (and therefore its members) is mapped in the
weblogic.xml file to the role
customer.
I can't speak to the reason your being redirected to the document root.
Paul Patrick
"HaiMing" <[email protected]> wrote in message
news:[email protected]...
Hi:
I encountered the following problem when I tried the form basedauthentication & authorization (see the attached part of the config files,
web.xml, weblogic.xml & weblogic.properties)
1. authorization seems not invoked against the rules specfied, itdoesn't go the login error page as long as the user/pwd match, even though
the user does not have the necessary role
in the example below, user3 should be denied to access the signinpage, but seems no login error page returned, actually I never see any page
/ error message which complain about the authorization / access control
error
2. after authenticate correctly, always get redirected to the / (contextroot) url, instead of the url prior the login page, for e.g., signin page
Any idea ?
Thanks in advance.
HaiMing
attach config files
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureBit1</web-resource-name>
<description>no description</description>
<url-pattern>/control/signin</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/control/formbasedlogin</form-login-page>
<form-error-page>/control/formbasedloginerror</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>the customer role</description>
<role-name>customer</role-name>
</security-role>
weblogic.xml
<security-role-assignment>
<role-name>
customer
</role-name>
<principal-name>
customer_group
</security-role-assignment>
weblogic.properties
weblogic.password.user1=user1pass
weblogic.password.user2=user2pass
weblogic.password.user3=user3pass
weblogic.security.group.customer_group=user1,user2

Tomact examples and form base authentication

I am looking at the tomcat examples web.xml security constrains and login info settings:
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
     
<url-pattern>/jsp/security/protected/*</url-pattern>
     
     <http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
     <http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>

<role-name>tomcat</role-name>
     <role-name>role1</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
As we can see form-login page and form-error page uri match url-pattern settings.
url-pattern: /jsp/security/protected/*
form-login page: /jsp/security/protected/login.jsp
form-error page: /jsp/security/protected/error.jsp
There is no binding of unauthenticated user to ether one of specified roles
Question: What place in the servlet spec allows serving secured resource for a user without appropriate role association?

Kinda then beat the the whole idea of authentication then, if you allow a user in that is not assigned to a security role? Anyway, I think you are looking to send the user to another page if they are not in a role but have an id, correct? Well, first it has to be a page outside the secure directory/ies. The error it generates is a 403. So add to your web.xml:
    <error-page>
       <error-code>403</error-code>
       <location>/403.jsp</location>
    </error-page>Anytime a user who is not a member of the allowed roles attempts a login, they will be redirected to this page.
Ross

Question about bulk entering security password to 600 forms, then exporting datato spreadsheet

How do I extract data from password secured Fillable-Forms when all the forms (600+) have the same password?
- single file at a time, I am able to enter password and extract data (but I have over 600 forms)
- I have already compiled all files into a response-file, but was unable to exctract data from Portfoio (only "File_Name" is transfered to spreadsheet)
Questions:
1) is there a location in the Portfolio to enter the password (that I am not seeing) that will allow data to be extracted?
2) is there a method to 'bulk' enter the password to individual forms that will allow data to be compiled directly into a spreasheet?

Thanks, now I understand why the wifi keeps dropping. On my personal wireless network, it also seems the distance from the access point is not good compared to my laptop. At work our network & exchange teams don't seem to have the desire to struggle with this "toy" until customers start forcing its adoption. I am using OWA and it works fine over EDGE. I will share your posting with them.
Thank you again.
Dell Windows XP Pro

Create a Web Service for Exchange with form based authentication ?

I want to create a Web Service in Apex that can create appointments in my exchange calendar. Exchange is offering web services for that.
When i try to create the web service reference in Apex i provide the URL and my Exchange login, but it is failing.
The exchange guys told me, that there is a ISA Server running where i need to authenticate through a form.
Does anyone know, how i can implement a webservice in Apex, when the access to the wsdl url needs login through a form ?
Or : what other types of authentication does Apex know ? What possibilities do i have ?
Thanks for answers.
Bernd

Hi
Presume you've already found this information, but in case not ....
Exchange 2007 provides out of the box web services, see
http://msdn.microsoft.com/en-us/library/bb408417.aspx
As a disclaimer - neither myself of the team I work with have tried to use these web services within APEX.
Regards
Chris

Security Access Issue with Forms

Hi All,
I had created few forms and finding some difficulty in provisioning them with access. The Scenario is - I have 2 Forms, The Accounts and other dimension members are simliar in both the forms.Only entites differ.The issue is, Now, an user who has write access to one particular account in form1 should have only read access to that particular account in Form 2.
I Tried creating one group for each form and gave write to form 1and read to form 2 but this didnt help.[ I mean to say,I gave "Write" access to that particular account for group A which i assigned to Form 1, then gave read access to that account for group B which i assigned to Form 2, but eventually that account is overwritten by "Write" access- the reason is well known ]
Kindly share if anyone has any nice approach to solve this.Please let me know for more information.
Thanks,
Le Jo.
Edited by: Le Jo on Oct 18, 2010 6:10 AM

Ok this seems to be a little complicated.
suppose we have E1,E2,E3 entities in form1 and E4,E5,E6 entities in form2. The account which is in discussion lets say it as A1.
so we can have following groups
Group1
Write access on A1 & other accounts & E1,E2,E3 entities.
assign form1 to this group
Group2
Read access on A1 & E4,E5,E6 entities.
assign form2 to this group
Group3
Write access on rest of accounts & E4,E5,E6 entities.
assign form2 to this group
Assign that user to all these 3 groups and the user will be having write access on form1 and read access for account A1 in form2 and write access to rest of all accounts in form2.
Hope this is your requirement. I havent tried/tested this one, but hopeful tht it should work fine.
let us know the outcome.
- Krish

Email event generator support secure password exchange with Exchange? [repost w/ corrected subject]

[repost with corrected subject - not an Email adapter with events, but the
Email event generator]
IHAC who's trying to use the Email event generator against an Exchange server
(as POP3). However, he can't get get the EG to connect successfully, as the
Exchange server is configured to refuse cleartext passwords.
Has anyone run into this, and how did they solve it? Or, is this not
supported with the 8.1sp3 email EG?
TIA for any help.
Regards,
Steve Elkind
BEA PS

In this case, the SMTP domain is the same as the AD domain. If the wrong domain were configured then the connection would never work, as opposed to sometimes work.
RunspaceId            : abb30c12-c578-4770-987f-41fe6206a463
ForestName            : adatum.local
UserName              : adatum\availtest
UseServiceAccount     : False
AccessMethod          : OrgWideFB
ProxyUrl              :
TargetAutodiscoverEpr :
ParentPathId          : CN=Availability Configuration
AdminDisplayName      :
ExchangeVersion       : 0.1 (8.0.535.0)
Name                  : adatum.local
DistinguishedName     : CN=adatum.local,CN=Availability Configuration,CN=Wayport,CN=Microsoft
                        Exchange,CN=Services,CN=Configuration,DC=contoso,DC=local
Identity              : adatum.local
Guid                  : 3e0ebc2c-0ebc-4be8-83d2-077746180d66
ObjectCategory        : contoso.local/Configuration/Schema/ms-Exch-Availability-Address-Space
ObjectClass           : {top, msExchAvailabilityAddressSpace}
WhenChanged           : 4/15/2014 12:33:53 PM
WhenCreated           : 4/15/2014 12:33:35 PM
WhenChangedUTC        : 4/15/2014 5:33:53 PM
WhenCreatedUTC        : 4/15/2014 5:33:35 PM
OrganizationId        :
OriginatingServer     : dc01.contoso.local
IsValid               : True
ObjectState           : Unchanged

Webservice call with certificate base authentication

Hi ,
Usually while sharing the WSDL with any third party we share the credentials of the system which is used to make the connection to SAP PI system.
I current scenario the tool which is consuming the WSDL cannot store the username password and can only store certificates .
Can you please guide what all steps we need to do to share the certificates , also what certificate we have to share .

HI Hareesh ,
Thanks for the pointer , I have done all the settings as mentioned in the blog . Just curious it says one place "Click on certificate tab, Click on modify and then upload the certificate you have with your partnerClick on certificate tab, Click on modify and then upload the certificate you have with your partner"
Do we need to import the PI server certificate or we have to install the certificate of 3rd party who is calling the webservice ?
I am doing the connection test from SOAP UI but it is still giving me 401 – Unauthorized error

Form-based authentication problem with weblogic

Hi Everyone,
The following problem related to form-based authentication
was posted one week ago and no reponse. Can someone give it
a shot? One more thing is added here. When I try it on J2EE
server and do the same thing, I didn't encounter this error
message, and I am redirected to the homeage.
Thanks.
-John
I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
"Form based authentication failed. Could not find session."
When I check the LOG file, it gives me the following message,
"Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
weblogic.httpd.session.enable=true

Hi...
Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
cheers...
Jerson
"John Wang" <[email protected]> wrote:
>
Hi Jerson,
I tried your code this weekend, it didn't work in my case. But
I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
Thanks.
-John
"Jerson Chua" <[email protected]> wrote:
I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
Jerson
package com.cyberj.catalyst.web;
import weblogic.servlet.security.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class Authenticate extends HttpServlet {
private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, java.io.IOException {
int authenticated = sa.weak(request, response);
if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
response.sendRedirect("fail_login.jsp");
} else {
response.sendRedirect("Home.jsp");
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, java.io.IOException {
doPost(request, response);
"Jerson Chua" <[email protected]> wrote:
The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
Has anyone solved this problem? I've tried the example itself and the same problem occurs.
Jerson
"Cameron Purdy" <[email protected]> wrote:
Jerson,
First try it redirected (raw) to see if that indeed is the problem ... then
if it works you can "fix" it the way you want.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Jerson Chua" <[email protected]> wrote in message
news:[email protected]...
Hi...
Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
another indirection where I will redirect it to another servlet but the
password is encrypted.
What do you think?
thanks....
Jerson
"Cameron Purdy" <[email protected]> wrote:
Maybe redirect to the current URL after killing the session to let the
request clean itself up. I don't think that a lot of the request (such
as
remote user) will be affected by killing the session until the nextrequest
comes in.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Jerson Chua" <[email protected]> wrote in message
news:[email protected]...
Hello guys...
I've a solution but it doesn't work yet so I need your help. Because
one
of the reason for getting form base authentication failed is if an
authenticated user tries to login again. For example, the one mentionedby
John using the back button to go to the login page and when the user logsin
again, this error occurs.
So here's my solution
Instead of submitting the page to j_security_check, submit it to a
servlet
which will check if the user is logged in or not. If yes, invalidates its
session and forward it to j_security_check. But there's a problem in this
solution, eventhough the session.invalidate() (which actually logs theuser
out) is executed before forwarded to j_security_check, the user doesn't
immediately logged out. How did I know this, because after calling
session.invalidate, i tried calling request.RemoteUser() and it doesn't
return null. So I'm still getting the error. What I want to ask you guyis
how do I force logout before the j_security_check is called.
here's the code I did which the login.jsp actually submits to
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class Authenticate extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, java.io.IOException {
if (request.getRemoteUser() != null) {
HttpSession session = request.getSession(false);
System.out.println(session.isNew());
session.invalidate();
Cookie[] cookies = request.getCookies();
for (int i = 0; i < cookies.length; i++) {
cookies.setMaxAge(0);
getServletContext().getRequestDispatcher("/j_security_check").forward(reques
t, response);
public void doGet(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, java.io.IOException {
doPost(request, response);
let's help each other to solve this problem. thanks.
Jerson
"Jerson Chua" <[email protected]> wrote:
I thought that this problem will be solved on sp6 but to my
disappointment, the problem is still there. I'm also using RDBMSRealm,same
as John.
Jerson
"Cameron Purdy" <[email protected]> wrote:
John,
1. You are using a single WL instance (i.e. not clustered) on that
NT
box
and doing so without a proxy (e.g. specifying http://localhost:7001),
correct?
2. BEA will pay more attention to the problem if you upgrade to SP6.If
you don't have a reason NOT to (e.g. a particular regression), then
you
should upgrade. That will save you one go-around with support: "Hi,I
am
on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
it.
Call back if that doesn't work."
3. Make sure that you are not doing anything special before or after
J_SECURITY_CHECK ... make sure that you have everything configuredand
done
by the book.
4. Email BEA a bug report at [email protected] ... see what they say.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"John Wang" <[email protected]> wrote in message
news:[email protected]...
Cameron,
It seems to me that the problem I encountered is different a little
from
what you have, evrn though the error message is the same eventually.
Everytime I go through, I always get that error.
I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
to
work
around this problem? If it was a BUG as you
pointed out, is there a way we can report it to the Weblogic
technical support and let them take a look?
Thnaks.
-John
"Cameron Purdy" <[email protected]> wrote:
John,
I will verify that I have seen this error now (after having read
about it
here for a few months) and it had the following characteristics:
1) It was intermittent, and appeared to be self-curing
2) It was not predictable, only seemed to occur at the first
login
attempt,
and may have been timing related
3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
proxy
was
Apache (Stronghold)
4) After researching the newsgroups, it appears that this "bug"
may
have gone away temporarily (?) in SP5 (although Jerson Chua
<[email protected]> mentioned that he still got it in SP5)
I was able to reproduce it most often by deleting the tmpwar and
tmp_deployments directories while the cluster was not running,
then
restarting the cluster. The first login attempt would fail(roughly
90%
of
the time?) and that server instance would then be ignored by the
proxy
for a
while (60 seconds?) -- meaning that the proxy would send all
traffic,
regardless of the number of "clients", to the other server in thecluster.
As far as I can tell, it is a bug in WebLogic, and probably has
been
there
for quite a while.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"John Wang" <[email protected]> wrote in message
news:[email protected]...
Hi Everyone,
The following problem related to form-based authentication
was posted one week ago and no reponse. Can someone give it
a shot? One more thing is added here. When I try it on J2EE
server and do the same thing, I didn't encounter this error
message, and I am redirected to the homeage.
Thanks.
-John
I am using weblogic5.1 and RDBMSRealm as the security realm. I
am
having
the following problem with the form-based authentication login
mechanism.
Does anyone have an idea what the problem is and how to solve it?
When I login my application and logout as normal procedure, it
is
OK.
But
if I login and use the browser's BACK button to back the login
page
and
try
to login as a new user, I got the following error message,
"Form based authentication failed. Could not find session."
When I check the LOG file, it gives me the following message,
"Form based authentication failed. One of the following reasons
could
cause it: HTTP sessions are disabled. An old session ID was stored
in
the
browser."
Normally, if you login and want to relogin without logout first,
it
supposes to direct you to the existing user session. But I don'tunderstand
why it gave me this error. I also checked my property file, it
appears
that
the HTTP sessions are enabled as follows,
weblogic.httpd.session.enable=true

Exchange 2010 SP3 OWA with certificate based authentication

Hi,
I have a bizarre problem in my customer’s environment. Maybe someone has an idea.
Exchange 2010 with SP3, latest cumulative Update installed.
The problem I’m having is that when I enable Certificate based authentication (require client certificate option in IIS) on OWA and ECP virtual directories in conjunction with forms based authentication (this is the requirement – the user
must have a client certificate and type in username and password to log in to OWA), the result is that after the user selects the certificate he wants to use, he is logged into OWA automatically, but cannot use the website, because it’s being constantly automatically
refreshed (or redirected to itself or something like that). The behavior occurs with all users, with any browser. If client certificate is on required, forms based authentication works just fine. If I switch to “Basic Authentication” and enable client certificate
requirement, then OWA act’s as it should be – so no problems. The problem only occurs when authentication type is forms based and client certificates are required.
I have tried the exact same settings (as far as I can tell) on one other production server and one test server, and encountered no such problems.
Anyone – any ideas?

Hi McWax,
According to your description and test, I understand that all accounts cannot login OWA when select require client certificate.
Is there any error message when open OWA or login? For example, return error ”HTTP error: 403 - Forbidden”. Please post relative error for further troubleshooting.
I want to confirm which authentication methods are used for OWA, Integrated Windows authentication or Digest authentication? More details about it, for your reference:
http://technet.microsoft.com/en-us/library/bb430796(v=exchg.141).aspx
If you select another authentication method, please check whether Client Certificate Mapping Authentication services is installed, and also enabled in IIS, please refer to:
http://www.iis.net/configreference/system.webserver/security/authentication/clientcertificatemappingauthentication
To prevent firewall factor, please try to sign in OWA at CAS server. Besides, I find a FAQ about certificate:
http://technet.microsoft.com/en-us/library/aa998424(v=exchg.80).aspx
Best Regards,
Allen Wang

Form based authentication problem

Hi people, im new here. Im working on a small application and i have decided to work with Form Based authentication. Theres a index page in the root that redirect to welcome page but when i try to Run the first page im getting this exception.
javax.servlet.jsp.JspException: Cannot find FacesContext at javax.faces.webapp.UIComponentTag.doStartTag(UIComponentTag.java:427) at com.sun.faces.taglib.jsf_core.ViewTag.doStartTag(ViewTag.java:125) at infrastructure.login._jspService(_login.java:53)
I have been searching for a while in the web but i couldnt find anything that fix the problem. Can anybody give me a hand with this? The version of Jdeveloper is 10.1.3.2. Here are the web.xml file and index.jsp
<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee">
<description>Empty web.xml file for Web Application</description>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<context-param>
<param-name>CpxFileName</param-name>
<param-value>userinterface.DataBindings</param-value>
</context-param>
<filter>
<filter-name>adfFaces</filter-name>
<filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
</filter>
<filter>
<filter-name>adfBindings</filter-name>
<filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>adfFaces</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>resources</servlet-name>
<servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/adf/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<jsp-config/>
<security-constraint>
<web-resource-collection>
<web-resource-name>todoLider</web-resource-name>
<url-pattern>/faces/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>lider</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>infrastructure/login.jsp</form-login-page>
<form-error-page>infrastructure/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>lider</role-name>
</security-role>
<security-role>
<role-name>auxiliar</role-name>
</security-role>
<security-role>
<role-name>docente</role-name>
</security-role>
<security-role>
<role-name>veedor</role-name>
</security-role>
<security-role>
<role-name>estudiante</role-name>
</security-role>
<ejb-local-ref>
<ejb-ref-name>ejb/local/AsigFacade</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local>datamodel.model.AsigFacadeLocal</local>
<ejb-link>AsigFacade</ejb-link>
</ejb-local-ref>
</web-app>
index.jsp
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<%@ page contentType="text/html;charset=windows-1252"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"/>
<title>index</title>
</head>
<body><%response.sendRedirect("faces/app/welcome.jsp");%></body>
</html>

Servlet mapping for the Faces Servlet is
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
Is the input.jsp run by specifying the url in the browser?
Run input.jsp with right-click>Run
The url should include /faces/

Form-based authentication and JSF

I am trying to use a form-based authentication in Tomcat 6, and from what I understand the page that contains the login form can not be a JSF page.
The problem I'm having with this is that I need the client's username and password accessible from my backing bean, but I don't know how to put them there from a standard JSP.
Before all this, I had a simple login form with username/password fields that were bound to a bean, and a button that executed a bean method that would perform the login procedure, retrieve the client's data from the DB and create a Client object in the session to be accessible throughout the application. Now, I need to use container managed access control with form-based authentication, and I know how to set it up but don't know how to create the Client object if the container does all the authentication and I never even get a hold of a username/password combination let alone the rest of the client's data.
Any advice on this would be greatly appreciated.

alf.redo wrote:
...following article: [j2ee_security_a_jsf_based_login_form|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form]
This is exactly the solution I am planning to use. It is good to know there are others who have decided to go that way.
Thanks

DS 6.2 and password expiration

Hello,
I'm having problems enforcing password expiration with DSEE. We have two Solaris 10 DSEE 6.2 servers configured with multi-master replication. The clients are running Solaris 8 (117350-47 Jun 2007 kernel patch level), and are using pam_ldap authentication.
Using either telnet (just as a test) or ssh to login, I don't receive warnings of password expiration, nor is the account locked after passwordExpirationTime is exceeded.
As an example, I can still authenticate as a user with this passwordExpirationTime:
passwordExpirationTime=20071123163438Z
The following is our DSEE password policy:
pwd-accept-hashed-pwd-enabled : off
pwd-check-enabled : on
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 4w
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : on
pwd-lockout-duration : disabled
pwd-lockout-enabled : on
pwd-lockout-repl-priority-enabled : on
pwd-max-age : 12w6d
pwd-max-failure-count : 4
pwd-max-history-count : 3
pwd-min-age : 1w
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : SSHA
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : on
pwd-strong-check-require-charset : any-three
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : on
Am I missing something obvious in the DSEE password policy? Would any other information be helpful in troubleshooting, such as /etc/pam.conf, patch levels of other packages, etc.?
Thanks!

If your DS6 instance is in DS5-compatible-mode (see above references), passwordExpirationTime is not ignored; however, please note that modifying server operational attributes via protocol has never been supported.
A supported way to force a user to change his or her password (without administratively resetting the password) would be to define a specialized password policy with a small max-age value (but maintaining the relationship pwdMinAge+pwdExpireWarning<pwdMaxAge), and use Roles/CoS to scope the policy to the user entry that requires a password change, but for which the password has not yet been changed. A value of pwdChangedTime in the past (or its absence from the entry) would indicate that the password had not yet been changed as requested. If the DS6 instance is in DS5-compatible-mode, you will need to enable grace logins via passwordWarning in the policy, while if the DS6 instance is in DS6-migration-mode or DS6-mode, you will also need to enable grace logins via pwdGraceAuthNLimit in the policy. Otherwise, the user cannot bind with an expired password.
OpenDS includes a "must-change-by" feature in the password policy that simplifies configuring the specialized password policy, but I'm not aware of any plans to add this feature to DS6.

Security - Password Expiration with Form Base Authentication

Similar Messages

Maybe you are looking for