ServletAuthentication

I'm using WLS 6.0 on a RHL7 system trying programmatic authentication within
a servlet by using the class weblogic.servlet.security.ServletAuthentication
calling the weak() method.
Does anybody know what to do to get this working? No matter what i was
trying so far all i got was FAILED_AUTHENTICATION...
Thanks,
Matthias

Hi,
          Go through the following link and find the API for the ServletAuthentication class in
          package weblogic.servlet.security in weblogic 8.1
          http://e-docs.bea.com/wls/docs81/javadocs/weblogic/servlet/security/package-summary.html
          Regards
          Anilkumar kari

Similar Messages

  • [resolved] ServletAuthentication weak() method in Weblogic 9.2 return false

    I am working on migrating Weblogic custom Authentication provider from version 8.1.5 to 9.2.3
    I recompiled the login modules implementation with necessary changes and JDK 1.5.0_12. It's deployed fine.
    In login servelet I have the following code
    ServletAuthentication sa = new ServletAuthentication(LOGIN_USERNAME_LABEL, LOGIN_PASSWORD_LABEL);
    int authenticated = sa.weak(request, response);
    The problem is, this code always return
    ServletAuthentication.FAILED_AUTHENTICATION
    instead of
    ServletAuthentication.AUTHENTICATED
    I debug through the implementation modules, all values passing from form and values returned form database were all correct, but result of weak() is not correct.
    Anyone resolved similar issue before? any help will be appreciated.
    Edited by: manetora on Jul 22, 2009 12:58 PM

    The problem was solved.
    When I deploy Custom Authentication Provider, I set the Control Flag to "SUFFICIENT"
    Control flag for Default Weblogic Authentication Provider was set to "REQUIRED" by default.
    This give error and return failed value when validating user login.
    Custom Authentication Provider passed, but Default Weblogic Authentication Provider was not.
    Fixing it by set control flag for both to "SUFFICIENT"!

  • Using weblogic.servlet.security.ServletAuthentication

    I am currently using weblogic.servlet.security.ServletAuthentication.authenticate(Callback,
    request) to peform a weblogic form-based authentication/login and would like to
    see the session stored user info....
    The doc for authenticate states that a session will be created, but does this
    method also place user information into the session [after authentication]. If
    so, how exactly do I get the default user information stored in the session after
    this call?
    Is there a String title associated with the user info so that I can use getAttribute(String)?
    Using session.getAttributeNames(), I can see that the session has a "sessionContext"
    and "org.apache.struts.action.LOCALE". Is there a way I can user/parse these objects
    for the user information. Your help is very much appreciated, thanks!

    I think we have most of the functionality you've asked for.
    ServletAuthentication.runAs() associates a Subject with the session.
    weblogic.security.services.Authentication.authenticate() creates a Subject.
    ServletAuthentication.authenticate() is merely a convenience wrapper around
    these two methods. That is, it creates a CallbackHandler from the request,
    calls authenticate() and then calls runAs(). So, in answer to your question,
    yes, ServletAuthentication.authenticate() does associate the Subject with
    the current session.
    There is no direct way of getting the Subject associated with a session but
    we can give you the current Subject which is almost always the same thing
    (if you have a run-as tag the current Subject may be different than the one
    associated with the session). To get the current Subject call
    weblogic.security.Security.getCurrentSubject().
    - Neil
    "Richard " <[email protected]> wrote in message
    news:4002e8a6$[email protected]..
    >
    I am currently usingweblogic.servlet.security.ServletAuthentication.authenticate(Callback,
    request) to peform a weblogic form-based authentication/login and wouldlike to
    see the session stored user info....
    The doc for authenticate states that a session will be created, but doesthis
    method also place user information into the session [afterauthentication]. If
    so, how exactly do I get the default user information stored in thesession after
    this call?
    Is there a String title associated with the user info so that I can usegetAttribute(String)?
    >
    Using session.getAttributeNames(), I can see that the session has a"sessionContext"
    and "org.apache.struts.action.LOCALE". Is there a way I can user/parsethese objects
    for the user information. Your help is very much appreciated, thanks!

  • How to use ServletAuthentication.weak(...)

    In order to have my application (behind a servlet) decide when to collect
    user credentials and when to login (authenticate), it appeared from the
    javadoc
    and from other postings and responses I've seen that I should be able to use
    the
    weblogic.servlet.security.ServletAuthentication class
    Well, I tried it last night and was sure it was working, but now the ONLY
    time it's returning AUTHENTICATED status is if I'm already logged in, via
    that browser/session using HTTP Basic Auth (I setup a security constraint
    for SnoopServlet that requires basic auth login, and I added the following
    code to a copy - SnoopServlet2 that does not require authentication (no
    security constraint)). Only if I login via basic auth for SnoopServlet can
    I then run SnoopServlet2 and have the below weak() authentication call
    succeed. If I start up a new browser (thus no authentication) and try
    SnoopServlet2 first I get FAILED_AUTHENTICATION every time,
    until I login via SnoopServlet (even via a different account) and then come
    back and try SnoopServlet2 with the below weak() call with either the same
    user as I used for SnoopServlet or a different user.
    Should I be able to programatically authenticate (and have the WebLogic
    session treat me as authenticated after that) like this or is that not
    supported?
    If it should work, what am I doing wrong? Do I need to call some other
    setup first if I'm programatically authenticating within a servlet that's
    not
    forcing authentication via security constraint? NOTE: I'm doing this
    through
    a caching realm which is using the WL6.0SP1 LDAP realm, which are working
    through HTTP Basic Auth for servlets with security constraints.
    // Call the password based (weak) authentication method
    int status =
    weblogic.servlet.security.ServletAuthentication.weak(user,pwd,
    req);
    switch (status) {
    case
    weblogic.servlet.security.ServletAuthentication.AUTHENTICATED:
    out.println("<h3>AUTHENTICATED</h3>");
    break;
    case
    weblogic.servlet.security.ServletAuthentication.FAILED_AUTHENTICATION:
    out.println("<h3>FAILED AUTHENTICATION</h3>");
    break;
    default:
    out.println("<h3>Unknown Authentication Status: " + status +
    "</h3>");
    Thanks,
    ..Mike
    [email protected]

    I believe I have this working better now (but could still use some info on
    whether
    this is a supported method of authenticating instead of using HTTP Basic
    Auth
    or Forms support, where my servlet authenticates a user based on info it
    retrieves
    and then that user (based on their WL authenticated session) is
    automatically
    authenticated for other servlets that are protected by security
    constraints... The
    javadoc says a bit about how to use this API, but not much about it's
    intended
    use, behavior, gotchas...
    Anyway, what I did to get it working (without previously having
    authenticated) was:
    weblogic.servlet.security.ServletAuthentication.weak(user,pwd,
    req.getSession(true));
    instead of:
    weblogic.servlet.security.ServletAuthentication.weak(user,pwd,
    req);
    It looks like the latter call (that I tried first) doesn't set up the
    session for you if
    you don't already have one... The first call above, makes sure you have a
    session
    and passes that in instead of the request.
    "Mike" <[email protected]> wrote in message
    news:[email protected]...
    In order to have my application (behind a servlet) decide when to collect
    user credentials and when to login (authenticate), it appeared from the
    javadoc
    and from other postings and responses I've seen that I should be able touse
    the
    weblogic.servlet.security.ServletAuthentication class
    Well, I tried it last night and was sure it was working, but now the ONLY
    time it's returning AUTHENTICATED status is if I'm already logged in, via
    that browser/session using HTTP Basic Auth (I setup a security constraint
    for SnoopServlet that requires basic auth login, and I added the following
    code to a copy - SnoopServlet2 that does not require authentication (no
    security constraint)). Only if I login via basic auth for SnoopServletcan
    I then run SnoopServlet2 and have the below weak() authentication call
    succeed. If I start up a new browser (thus no authentication) and try
    SnoopServlet2 first I get FAILED_AUTHENTICATION every time,
    until I login via SnoopServlet (even via a different account) and thencome
    back and try SnoopServlet2 with the below weak() call with either the same
    user as I used for SnoopServlet or a different user.
    Should I be able to programatically authenticate (and have the WebLogic
    session treat me as authenticated after that) like this or is that not
    supported?
    If it should work, what am I doing wrong? Do I need to call some other
    setup first if I'm programatically authenticating within a servlet that's
    not
    forcing authentication via security constraint? NOTE: I'm doing this
    through
    a caching realm which is using the WL6.0SP1 LDAP realm, which are working
    through HTTP Basic Auth for servlets with security constraints.
    // Call the password based (weak) authentication method
    int status =
    weblogic.servlet.security.ServletAuthentication.weak(user,pwd,
    req);
    switch (status) {
    case
    weblogic.servlet.security.ServletAuthentication.AUTHENTICATED:
    out.println("<h3>AUTHENTICATED</h3>");
    break;
    case
    weblogic.servlet.security.ServletAuthentication.FAILED_AUTHENTICATION:
    out.println("<h3>FAILED AUTHENTICATION</h3>");
    break;
    default:
    out.println("<h3>Unknown Authentication Status: " + status+
    "</h3>");
    Thanks,
    ..Mike
    [email protected]

  • Nasty narrowing cast (bug) in ServletAuthentication class

    I'm trying to integrate a 3rd party's authentication framework with Weblogic using identity assertion. Like:
    3rd party <- weblogic identity assertion <- custom SSO
    The 3rd party is wrapping the HttpSession, which should be transparent. However, I get a class cast exception in BEA's ServletAuthentication class. It seems they do this nasty little narrowing cast on the HttpSession object.
    public static int assertIdentity(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse, String s)
    throws ServletException, IOException, LoginException
    if(authenticatedsubject != null && !SubjectUtils.isUserAnonymous(authenticatedsubject))
    SessionInternal sessioninternal = (SessionInternal)httpservletrequest.getSession(true);
    sessioninternal.setInternalAttribute("weblogic.authuser", authenticatedsubject);
    SecurityServiceManager.pushSubject(getKernelID(), authenticatedsubject);
    return 0;
    } else
    return 1;
    Has anyone else run into this problem before? Anyone have a suggestion that doesn't involve me rewriting the 3rd party code or BEAs?

    Hi,
    This may be a classloader problem. SessionInternal class instances are loaded by two different class loaders. Could you check with the thread link given below? It may be helpful you to nail down the issue.
    http://forums.bea.com/bea/message.jspa?messageID=400002870&tstart=0
    Keep posted your issue once gets resloved.
    Cheers,
    -Raja

  • ServletAuthentication logs in user but fails isUserInRole

    Problems with ServletAuthentication, where I call
    .weak(username,password,httpservletrequest) and the user is authenticated
    but fails isUserInRole security checks.
    User PASSES declarative security checks on EJB methods.... what gives?
    WLS7 sp1.... standard embedded LDAP realm.
    Markus

    To add to the fun.... pulled Subject from weblogic.security.Security and
    iterated through the principals. My groups are there!
    For kicks I tried a
    ServletAuthentication.runAs(Security.getCurrentSubject(), request);
    That didn't work.
    What is going on?
    "Markus Blumrich" <[email protected]> wrote in message
    news:[email protected]..
    Problems with ServletAuthentication, where I call
    .weak(username,password,httpservletrequest) and the user is authenticated
    but fails isUserInRole security checks.
    User PASSES declarative security checks on EJB methods.... what gives?
    WLS7 sp1.... standard embedded LDAP realm.
    Markus

  • Need help troubleshooting ServletAuthentication behavior

    We've been running into an issue when running a servlet we have written in WLS in conjunction with OAM. Apparently something in OAM causes ServletAuthentication.generateNewSessionID to be called, which has a number of consequences which are problematic for us.
    It appears that generateNewSessionID does the following:
    - Creates a new httpSession.
    - (Which in turn) Invokes the sessionCreated callback in any HttpSessionListener implementations.
    - Copies attributes from the old session to the new session, except that it apparently does not overwrite any attributes that were set in the sessionCreated callback.
    - Destroys the old httpSession.
    - (Which in turn) Invokes the sessionDestroyed callback in any HttpSessionListener implementations.
    This is problematic on a number of levels. It doesn't seem there isis a way for the servlet to know that the session lifecycle callbacks are being called for the purpose of switching out the session ID. Consequently, we see a sessionDestroyed callback and assume that the session has really gone away -- and so we clean out any data structures we have maintained for the session/user state. But then we get a request with the "new" session, which contains session attributes that have now become meaningless to us.
    I suspect we're missing some critical insight here. Can anybody shed some light on how servlets are supposed to work with this feature?
    Thanks,
    Josh

    What server model? What database?
    Murray --- ICQ 71997575
    Adobe Community Expert
    (If you *MUST* email me, don't LAUGH when you do so!)
    ==================
    http://www.projectseven.com/go
    - DW FAQs, Tutorials & Resources
    http://www.dwfaq.com - DW FAQs,
    Tutorials & Resources
    ==================
    "jon-rookie" <[email protected]> wrote in
    message
    news:fp49rc$19b$[email protected]..
    >I am new to Dreamweaver and am struggling with this task.
    >
    > I am trying to use the user authentication behavior to
    bring up a results
    > page
    > that will inturn allow a user to update their personal
    information in the
    > db.
    >
    > I would really appreciate it if someone could throw this
    together for me
    > so I
    > can take a look at it and then make changes and update.
    >
    > I think all that is needed is:
    >
    > login html/user auth *bases on a membership number and
    password. It
    > would
    > be really nice if it included the ability to retrieve a
    forgotten password
    > or
    > membership number which would be sent to an email.
    >
    > results html * shows the record of the user, ie name,
    address.
    > update html * the html that allows the user to update
    some of the
    > fields.
    >
    > I would really appreciate this.
    >
    >

  • Weblogic.servlet.security.ServletAuthentication.week() throws 'HttpSession in invalid'

    +In our web app, we supply a form to accept the user info and login the
              user. The following is the program.
              String uid = (String )request.getParameter( "username" ) ;
              String pwd = (String )request.getParameter( "password" ) ;
              ServletAuthentication.logout( request ) ;
              request.getSession().invalidate();
              HttpSession session = request.getSession( true ) ;
              session.setAttribute( ..... ) ;
              int auth = ServletAuthentication.weak( uid, pwd, request ) ;
              +But an exception of "java.lang.IllegalStateException: HttpSession is
              invalid" is thrown by the last statement. What's wrong with the above
              program?
              Thanks for any help!
              

    +In our web app, we supply a form to accept the user info and login the
              user. The following is the program.
              String uid = (String )request.getParameter( "username" ) ;
              String pwd = (String )request.getParameter( "password" ) ;
              ServletAuthentication.logout( request ) ;
              request.getSession().invalidate();
              HttpSession session = request.getSession( true ) ;
              session.setAttribute( ..... ) ;
              int auth = ServletAuthentication.weak( uid, pwd, request ) ;
              +But an exception of "java.lang.IllegalStateException: HttpSession is
              invalid" is thrown by the last statement. What's wrong with the above
              program?
              Thanks for any help!
              

  • Weblogic.servlet.security.ServletAuthentication.logout() doesnot work

    Hi,
              In WLS6.1, i have a webapplication.
              User logs into this by Form based authentication. When user clicks logoff, I tried calling ServletAuthentication.logout()/ invalidateall()/ killcookie() along with calling session.invalidate(), and then redirect the user to a controlled url.
              WLS5.1 threw login page in this case(just by calling session.invalidate()), but 6.1 allows access to the url (a new session is created but the user is never logged out).
              Can you pl. let me know why is this happening ? Is there a way out to logout the user by calling any properitory api ?
              Thanks in advance
              Mano
              

    Hi,
              In WLS6.1, i have a webapplication.
              User logs into this by Form based authentication. When user clicks logoff, I tried calling ServletAuthentication.logout()/ invalidateall()/ killcookie() along with calling session.invalidate(), and then redirect the user to a controlled url.
              WLS5.1 threw login page in this case(just by calling session.invalidate()), but 6.1 allows access to the url (a new session is created but the user is never logged out).
              Can you pl. let me know why is this happening ? Is there a way out to logout the user by calling any properitory api ?
              Thanks in advance
              Mano
              

  • Weblogic.servlet.security.ServletAuthentication Question

              Hi all,
              I am developing on WebLogic 5.1 with service pack 6 installed. WegLogic 5.1 documentation on the ServletAuthentication class says that along with the non-static weak() method, there are two static versions of the weak() method available in the class that one could use. I would like to use the static version that takes in username, password, and the servlet request or session object. But I tried compiling my program, the compiler could not find the method implementation.
              This prompted me to run the javap utility on the weblogic.servlet.security.ServletAuthentication class in the weblogic510sp6.jar file and sure enough I did not find the static methods in that class.
              I did see them in an older Weblogicaux.jar file's version of ServletAuthentication class. Does that mean that these methods are deprecated and if so I would love to know the reason. For implementations that store passwords in an encrypted form those are the only methods that are useful.
              Any help/clarification on this is greatly appreciated,
              arif.
              

              Hi all,
              I am developing on WebLogic 5.1 with service pack 6 installed. WegLogic 5.1 documentation on the ServletAuthentication class says that along with the non-static weak() method, there are two static versions of the weak() method available in the class that one could use. I would like to use the static version that takes in username, password, and the servlet request or session object. But I tried compiling my program, the compiler could not find the method implementation.
              This prompted me to run the javap utility on the weblogic.servlet.security.ServletAuthentication class in the weblogic510sp6.jar file and sure enough I did not find the static methods in that class.
              I did see them in an older Weblogicaux.jar file's version of ServletAuthentication class. Does that mean that these methods are deprecated and if so I would love to know the reason. For implementations that store passwords in an encrypted form those are the only methods that are useful.
              Any help/clarification on this is greatly appreciated,
              arif.
              

  • ServletAuthentication error

    I'm using weblogic.servlet.security.ServletAuthentication.weak(user,password,session) to log into a system here. This throws the error:
    can't find com.asn1c.core.OctetString
    is there a package i'm mising in my classpath here?

    skeezix,
    Are you, by any chance, getting the error while trying to step into a control in the debugger? I have found that I get a variety of messages (including yours) if I step through my code although it seems to execute fine when I run past calls to controls.

  • Is ServletAuthentication.login(userName, password, req, res) transmit data to server after encrypting?

    Hi,
    May I know that the below method is using any encryption before transmitting data to the server end? Need to know whether its passing plain text to the server end as we call the method using plaintext for username and password.
    int rc = weblogic.servlet.security.ServletAuthentication.login(userName, password, req, res);
    Thank you.

    I had a problem once, where the authentication server only allowed internal IP addresses to be authenticated. Do you have any kind of those restrictions?
    Mike

  • ServletAuthentication Issue

    I have created a web app that contains protected resources defined in
    security-constraint elements in the web.xml deployment descriptor. The app
    uses form based authentication and authentication is achieved by submitting
    to a login servlet that internally uses the ServletAuthentication class in
    the weblogic.servlet.security package. My user is (for now) defined in the
    weblogic.properties file and assigned to a group as:
    weblogic.password.Andy=password
    weblogic.security.group.Level1Users=Andy
    Entering the correct username and password, the user is correctly
    authenticated and a session attribute called '_wl_authuser_' is created.
    However when I subsequently try to access a protected resource for which the
    auth-constraint role-name in the web.xml file is set to Level1Users (there
    is also a security-role element in the file with role-name set to
    Level1Users) weblogic redirects the request to the form-login-page page as
    though it does not identify that the user has already been authenticated and
    belongs to the specified Level1Users group.
    Is this a bug in Weblogic 5.1 (sp5), or am I making a fundamental error?
    Andy

    it looks correct, post your entire web.xml
    .paul
    Andy Maggs wrote:
    I have created a web app that contains protected resources defined in
    security-constraint elements in the web.xml deployment descriptor. The app
    uses form based authentication and authentication is achieved by submitting
    to a login servlet that internally uses the ServletAuthentication class in
    the weblogic.servlet.security package. My user is (for now) defined in the
    weblogic.properties file and assigned to a group as:
    weblogic.password.Andy=password
    weblogic.security.group.Level1Users=Andy
    Entering the correct username and password, the user is correctly
    authenticated and a session attribute called '_wl_authuser_' is created.
    However when I subsequently try to access a protected resource for which the
    auth-constraint role-name in the web.xml file is set to Level1Users (there
    is also a security-role element in the file with role-name set to
    Level1Users) weblogic redirects the request to the form-login-page page as
    though it does not identify that the user has already been authenticated and
    belongs to the specified Level1Users group.
    Is this a bug in Weblogic 5.1 (sp5), or am I making a fundamental error?
    Andy

  • What does ServletAuthentication put in the session?

    Quick question,
    The API documentationo for the ServletAuthentication class states: "It performs
    the authentication call through the Realm and sets the user information into the
    session."
    What exactly does the ServletAuthentication class put into the session when calling
    the weak() method? Does it put something into the session even if FAILED_AUTHENTICATION
    is returned?
    Thanks for your help,
    Scott

    Hi, Dana. There is no way to be sure what SSD Apple might install in an MBP that you order today. It might or might not be the same unit that was in MBPs built a month or two ago, or yesterday. Just as Apple buys its hard drives from several different manufacturers, it may buy SSDs from several manufacturers, or different models from the same manufacturer.
    But if it is the Toshiba SSD, then I'm better off getting an SSD of my own and putting it in myself.
    Only if it works. There have been quite a few reports here of various SSDs installed by users not working properly, and it isn't completely clear whether there's a single reason why they don't, or several different reasons, or whether there are brands/models that always do or always don't work. Until the dust settles and there's a bit more clarity, if you really want a working SSD in your machine, it may be wisest to have Apple install one, regardless of what make and model it turns out to be.
    Message was edited by: eww

  • How to specify realm name when calling weak( ) method on ServletAuthentication class?

    I've created a bunch of custom realms and for a specific user logon (form based "uname" and "pword"), the system knows exactly which custom realm to look up against. However, in using ServletAuthentication class, one can only specify realm name in strong(req, res, realmName), not the weak() method. Any clue?
    -john

    Hi John,
    Did you find the answer to this question? I'm having a similar problem when calling the ServletAuthentication.assertIdentity() method.
    Cheers,
    Vidar

Maybe you are looking for

  • Wifi not working under windows 8.1 with Bootcamp

    Hi, I have installed windows 8.1 under bootcamp. it seems to work fine however the wifi connaction is not existing under windows. therefore i can only connect via ethernet. Anyone an idea how to solve it? Thx

  • Input help not showing up for columns in CATS regular application

    I am using standard iView Time Entry in ESS available in EP7 ECC6.0. the issue I am having is that there is no popup (input help)  for columns 'Reason Code',  'Region' and 'OT Rsn'. But if I go into ECC6.0 t-code CAT2, the popups are available. Any i

  • OIM 11g R1 - Generate Common Name

    Hello, if i create a new user in OIM the common name will be greate with <firstnam> <lastname>. Instead of a "blank" i need a "." between <firstnam> <lastname>. The common name should looks loke <firstnam>.<lastname> How do i edit this settings?

  • Opening External Window in Web Dynpro ABAP with URL disabled or Hidden

    Hi Experts, I have a requirement where-in we want to open the Web Dynpro ABAP application using tcode WDYID (by passing the application name  and startmode), but the URL of the newly opened explorer should be disabled or hidden. To achieve the same,

  • Table maintenace setting No Transport option.

    HI, I have a table maintance for a custom table, Its attribute is set to 'Automatic Transport' no it ask for transport request for every change. I want to set it to 'No Transport' but it is not changing it. It gives the message <b>'The flag for the t