[SOLVED] form based logout
Hi,
using Jdeveloper 10.1.3.3 ADF BC & JSF, I've implemented form based login like here: http://technology.amis.nl/blog/?p=1462
the problem is with logout. I have a commandLink and a method:
public void doLogout() throws IOException {
FacesContext ctx = FacesContext.getCurrentInstance();
ExternalContext ectx = ctx.getExternalContext();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
HttpSession session = (HttpSession)ectx.getSession(false);
try {
session.invalidate();
response.sendRedirect("../security/pages/login.jsp");
} catch (java.lang.IllegalStateException ex) {
System.out.println(ex.getMessage();
the thing that bothers me is when user logs out, he is redirected to the login page (session is invalidated ok), but when he enters credentials and tries to log in again he gets 404 Not Found message in browser, when I look in log there are no error messages. I've searched forum all over and everybody uses this way for logout so I don't know what could be wrong.
Please help,
thanks in advance,
Tomislav.
found what was the problem. After session.invalidate() I have to redirect user to index.jspx, since session was invalidated it opens login page.
Similar Messages
-
Logout Functionality in Form Based Authentication Not Working Properly
Hi All,
I am using Form Based Authentication in ADF. In this I followed the following steps:-
1.Login On Page.
2.In successful login page ,copy the url
3.Click on "Logout"
4.Paste the url in login page and click enter
5.System taking me back to that page where I can perform all the actions.
But the Login operation should not happen just by entering the url. Please provide any help how to stop redirecting to my authenticated page just by typing the url. This is a big security constraint.Any Assistance to this is highly appreciated.
Thanks & Regards
Lovenish GargHi BaiG,
For Login I am using the form based authentication and for logout here is my code:-
public void logout() {
ExternalContext ectx =
FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
HttpSession session = (HttpSession)ectx.getSession(false);
session.invalidate();
response.setHeader("Cache-Control", "no-cache");
response.setHeader("expires", "0");
response.setHeader("Pragma", "no-cache");
try {
response.sendRedirect("AdminLogin.html");
} catch (IOException e) {
logger.severe(e.getMessage());
//Inform JSF to not take the response in hands
FacesContext.getCurrentInstance().responseComplete();
logger.info("session invalidated");
Thanks,
Lovenish Garg -
Form-based authentication problem with weblogic
Hi Everyone,
The following problem related to form-based authentication
was posted one week ago and no reponse. Can someone give it
a shot? One more thing is added here. When I try it on J2EE
server and do the same thing, I didn't encounter this error
message, and I am redirected to the homeage.
Thanks.
-John
I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
"Form based authentication failed. Could not find session."
When I check the LOG file, it gives me the following message,
"Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
weblogic.httpd.session.enable=trueHi...
Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
cheers...
Jerson
"John Wang" <[email protected]> wrote:
>
Hi Jerson,
I tried your code this weekend, it didn't work in my case. But
I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
Thanks.
-John
"Jerson Chua" <[email protected]> wrote:
I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
Jerson
package com.cyberj.catalyst.web;
import weblogic.servlet.security.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class Authenticate extends HttpServlet {
private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, java.io.IOException {
int authenticated = sa.weak(request, response);
if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
response.sendRedirect("fail_login.jsp");
} else {
response.sendRedirect("Home.jsp");
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, java.io.IOException {
doPost(request, response);
"Jerson Chua" <[email protected]> wrote:
The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
Has anyone solved this problem? I've tried the example itself and the same problem occurs.
Jerson
"Cameron Purdy" <[email protected]> wrote:
Jerson,
First try it redirected (raw) to see if that indeed is the problem ... then
if it works you can "fix" it the way you want.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Jerson Chua" <[email protected]> wrote in message
news:[email protected]...
Hi...
Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
another indirection where I will redirect it to another servlet but the
password is encrypted.
What do you think?
thanks....
Jerson
"Cameron Purdy" <[email protected]> wrote:
Maybe redirect to the current URL after killing the session to let the
request clean itself up. I don't think that a lot of the request (such
as
remote user) will be affected by killing the session until the nextrequest
comes in.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Jerson Chua" <[email protected]> wrote in message
news:[email protected]...
Hello guys...
I've a solution but it doesn't work yet so I need your help. Because
one
of the reason for getting form base authentication failed is if an
authenticated user tries to login again. For example, the one mentionedby
John using the back button to go to the login page and when the user logsin
again, this error occurs.
So here's my solution
Instead of submitting the page to j_security_check, submit it to a
servlet
which will check if the user is logged in or not. If yes, invalidates its
session and forward it to j_security_check. But there's a problem in this
solution, eventhough the session.invalidate() (which actually logs theuser
out) is executed before forwarded to j_security_check, the user doesn't
immediately logged out. How did I know this, because after calling
session.invalidate, i tried calling request.RemoteUser() and it doesn't
return null. So I'm still getting the error. What I want to ask you guyis
how do I force logout before the j_security_check is called.
here's the code I did which the login.jsp actually submits to
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class Authenticate extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, java.io.IOException {
if (request.getRemoteUser() != null) {
HttpSession session = request.getSession(false);
System.out.println(session.isNew());
session.invalidate();
Cookie[] cookies = request.getCookies();
for (int i = 0; i < cookies.length; i++) {
cookies.setMaxAge(0);
getServletContext().getRequestDispatcher("/j_security_check").forward(reques
t, response);
public void doGet(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, java.io.IOException {
doPost(request, response);
let's help each other to solve this problem. thanks.
Jerson
"Jerson Chua" <[email protected]> wrote:
I thought that this problem will be solved on sp6 but to my
disappointment, the problem is still there. I'm also using RDBMSRealm,same
as John.
Jerson
"Cameron Purdy" <[email protected]> wrote:
John,
1. You are using a single WL instance (i.e. not clustered) on that
NT
box
and doing so without a proxy (e.g. specifying http://localhost:7001),
correct?
2. BEA will pay more attention to the problem if you upgrade to SP6.If
you don't have a reason NOT to (e.g. a particular regression), then
you
should upgrade. That will save you one go-around with support: "Hi,I
am
on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
it.
Call back if that doesn't work."
3. Make sure that you are not doing anything special before or after
J_SECURITY_CHECK ... make sure that you have everything configuredand
done
by the book.
4. Email BEA a bug report at [email protected] ... see what they say.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"John Wang" <[email protected]> wrote in message
news:[email protected]...
Cameron,
It seems to me that the problem I encountered is different a little
from
what you have, evrn though the error message is the same eventually.
Everytime I go through, I always get that error.
I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
to
work
around this problem? If it was a BUG as you
pointed out, is there a way we can report it to the Weblogic
technical support and let them take a look?
Thnaks.
-John
"Cameron Purdy" <[email protected]> wrote:
John,
I will verify that I have seen this error now (after having read
about it
here for a few months) and it had the following characteristics:
1) It was intermittent, and appeared to be self-curing
2) It was not predictable, only seemed to occur at the first
login
attempt,
and may have been timing related
3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
proxy
was
Apache (Stronghold)
4) After researching the newsgroups, it appears that this "bug"
may
have gone away temporarily (?) in SP5 (although Jerson Chua
<[email protected]> mentioned that he still got it in SP5)
I was able to reproduce it most often by deleting the tmpwar and
tmp_deployments directories while the cluster was not running,
then
restarting the cluster. The first login attempt would fail(roughly
90%
of
the time?) and that server instance would then be ignored by the
proxy
for a
while (60 seconds?) -- meaning that the proxy would send all
traffic,
regardless of the number of "clients", to the other server in thecluster.
As far as I can tell, it is a bug in WebLogic, and probably has
been
there
for quite a while.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"John Wang" <[email protected]> wrote in message
news:[email protected]...
Hi Everyone,
The following problem related to form-based authentication
was posted one week ago and no reponse. Can someone give it
a shot? One more thing is added here. When I try it on J2EE
server and do the same thing, I didn't encounter this error
message, and I am redirected to the homeage.
Thanks.
-John
I am using weblogic5.1 and RDBMSRealm as the security realm. I
am
having
the following problem with the form-based authentication login
mechanism.
Does anyone have an idea what the problem is and how to solve it?
When I login my application and logout as normal procedure, it
is
OK.
But
if I login and use the browser's BACK button to back the login
page
and
try
to login as a new user, I got the following error message,
"Form based authentication failed. Could not find session."
When I check the LOG file, it gives me the following message,
"Form based authentication failed. One of the following reasons
could
cause it: HTTP sessions are disabled. An old session ID was stored
in
the
browser."
Normally, if you login and want to relogin without logout first,
it
supposes to direct you to the existing user session. But I don'tunderstand
why it gave me this error. I also checked my property file, it
appears
that
the HTTP sessions are enabled as follows,
weblogic.httpd.session.enable=true -
Form based login, iframes and session time out
Hi all,
I'm trying to create a site using form based login.
The site contains a page protected page, default.jsp that have a logout button/link (clicking it invalidates the session), and a navigation bar with links linking opening them in iframes inside the default.jsp page:
I have also a login.jsp page and and a error.jsp page
Everything works fine I can login, I can logout. My problem occurs when the session times out and the user tries to access protected contents in the internal frames. He then is promted for a new login. The problem is that the login,jsp page now turns up inside the jframe designatet for my contents.
I woud have liked the login page to turn up at the top level i.e. filling the entire browser window (i.e on the same level as the default.jsp page). Is this somehow possible?
Regards
Uno EngborgEasy answer: use JS to jump out iframe.
Best answer: don't use iframes, but use server side includes like jsp:include. Iframes have too much disadvangages, topping the extremely bad SEO and UX. -
Populating the Lookup values in AD Child Form based logged in user
HI,
Below is the Lookup code(AD Groups) format.
Codekey , Decodekey
IT-Development , IT-Development
IT-Testing , IT-Testing
IT-Production , IT-Production
HR-system , HR-system
HR-Finance , HR-Finance
My requirement is I need to filter the data being presented in the lookup according to the logged in user in ad child form,
If i am logged in as xelsysadm the lookup presents all groups.
If i am logged in as IT administroter the lookup presents only the IT Related groups(EX:IT-Development,IT-Testing....).
If i am logged in as HR administroter the lookup presents only the HR Related groups(EX:HR-System,HR-Finance...).
like this we have contains so many administrators.
We are desiding the administrators based on user form field.
The Field contains the value like HR-Related,IT-Information Technology.....
How can i achive this?
Thanks in advance.
Edited by: 790561 on 4/12/2011 17:48
Edited by: 790561 on 5/12/2011 12:02Hi Rajiv,
Thank you for quick reply,
When i am login as IT administrator and i provisioned user to AD it showing the IT Related groups in ad child form based on your Suggestion.
If i logout and login as a HR administrator and i edit the child process form of the same user still its showing IT Related Groups only.If I revoke and provision user to ad again with HR administrator this time its showing HR Related groups in AD Child form.
I think based on the requester its showing the values.
But i want to filter groups based on logged in user.
EX:If i login as IT administrator and provision the user to AD in Child form its showing the IT Related groups only its correct.
If I logout and login as HR administrator and i edit the same user AD Child form its showing the IT related groups only its not correct.this time it shows only HR Related.
Any solution....
Thanks in advance. -
How to create a Form based on a dynamic table?
Hello,
The Select statement below creates a table based on a string (string is a value of an item):
select * from table (pkg_util.fn_get_table (:P18_VALUE))I need to create a region on a page with a Form based on this table.
I was able to create a Report, but not a Form.
I need to create a Form, which would return updated string to the page item.
How can I solve this please?Hello Gentlemen,
I have created a Tabular Form, based on APEX_ITEM API, as you suggested, here is the code below:
SELECT apex_item.checkbox (30,
CATALOG_ID,
'onclick="highlight_row(this,' || ROWNUM || ')"',
NULL,
'f30_' || LPAD (ROWNUM, 4, '0')
) delete_checkbox,
CATALOG_ID,
apex_item.hidden (31, CATALOG_ID)
|| apex_item.text (32,
LANG,
80,
100,
'style="width:100px"',
'f32_' || LPAD (ROWNUM, 4, '0')
|| apex_item.hidden (33, wwv_flow_item.md5 (LANG, DESCRIPTION)) LANG,
apex_item.text (34,
DESCRIPTION,
80,
100,
'style="width:255px"',
'f34_' || LPAD (ROWNUM, 4, '0')
) DESCRIPTION
FROM V_SYSTEM_CATALOGS_PR
UNION ALL
SELECT apex_item.checkbox
(30,
TO_NUMBER(9900 + LEVEL),
'onclick="highlight_row(this,' || ROWNUM || ')"',
NULL,
'f30_' || TO_NUMBER (9900 + LEVEL)
) delete_checkbox,
NULL,
apex_item.hidden (31, NULL)
|| apex_item.text (32,
NULL,
80,
100,
'style="width:100px"',
'f32_' || TO_NUMBER (9900 + LEVEL)
|| apex_item.hidden (33, NULL) LANG,
apex_item.text
(34,
NULL,
80,
100,
'style="width:255px" ' ,
'f34_'
|| TO_NUMBER (9900 + LEVEL)
) DESCRIPTION
FROM DUAL
WHERE :P180_TEMP = 'ADD_ROWS1'
CONNECT BY LEVEL <= 1however, the update process doe not work on that form:
DECLARE
lc_string VARCHAR2(4000);
BEGIN
FOR i IN 1..APEX_APPLICATION.G_f*30*.COUNT
LOOP
lc_string := lc_string|| '[' ||APEX_APPLICATION.G_f*32*(i) || '|' || APEX_APPLICATION.G_f*34*(i) || ']';
END LOOP;
--Database processing using the concatenated string here
END;Can you please see what's wrong with the code?
Also, I tried to set a temp. item with the value, to see if the process returns something, like that:
DECLARE
lc_string VARCHAR2(4000);
BEGIN
FOR i IN 1..APEX_APPLICATION.G_f*30*.COUNT
LOOP
lc_string := lc_string|| '[' ||APEX_APPLICATION.G_f*32*(i) || '|' || APEX_APPLICATION.G_f*34*(i) || ']';
END LOOP;
:p18_temp := lc_string;
END;and it did not work.
Also, it is the second Tabular Form on this page. The first one is created using wizard, and it works perfect, with the same update process:
DECLARE
lc_string VARCHAR2(4000);
BEGIN
FOR i IN 1..APEX_APPLICATION.G_f*01*.COUNT
LOOP
lc_string := lc_string|| '[' ||APEX_APPLICATION.G_f*03*(i) || '|' || APEX_APPLICATION.G_f*04*(i) || ']';
END LOOP;
--Database processing using the concatenated string here
END;Also, both forms are opening in a modal pop-up dialog window.
I use a Dialog Region plug-in for that.
May be this is causing a problem?
But still, the first form works fine!? -
J_security_check in form-based authentication - not checking for blank passwords
I am using the LDAP Security Realm to authenticate against an iPlanet
Directory Server. All works as expected when a user-id and password
are entered for form-based authentication.
However, when a userid is entered but no password, j_security_check
logs the user in successfully. Aparently, this is correct LDAP
behaviour as anonymous login to the LDAP server is permitted. It seems
that the j_security_check servlet should check for blank passwords
before trying to authenticate against the LDAP server and fail
authentication if this is the case.
Has anyone else experienced this problem?Hi Brian,
I do not believe it is j_security_check's job to check for blank
passwords.
In many security realms, it is "legal" for a user to have a blank
password. j_security_check forwards whatever password was entered so that
even users with blank passwords can be authenticated by the realm on the
backend. For this reason I believe that j_security_check is "doing the
right thing" by just forwarding whatever is presented to it, rather than
having its own logic. It is best if j_security_check just acts as a very
dumb middle man.
If behavior was altered, it is true that your particular problem would be
solved, but then many other people would have a problem with their users
with blank passwords authenticating properly...
Try looking into how to disable anonymous logins on the LDAP end of
things. Hope this helps.
Cheers,
Joe Jerry
brian wrote:
I am using the LDAP Security Realm to authenticate against an iPlanet
Directory Server. All works as expected when a user-id and password
are entered for form-based authentication.
However, when a userid is entered but no password, j_security_check
logs the user in successfully. Aparently, this is correct LDAP
behaviour as anonymous login to the LDAP server is permitted. It seems
that the j_security_check servlet should check for blank passwords
before trying to authenticate against the LDAP server and fail
authentication if this is the case.
Has anyone else experienced this problem? -
Form Based authentcation in Sharepoint 2010
Hi,
I am Having a problem. everytime i enter the URL for accesing the site i am getting a new page which asks me whether i have to use forms based autherntication or Windows based authentication.Attaching the below screen shot of the same. can some
one help me to sort out this issue.If you implment Forms Based authentication on the same AAM zone where you are using Windows Authentication this is the way it is designed to work. If you Extend the Web Application to a new Zone and turn on Forms Based authentication there but not
in the default zone then you won't get the prompt. Instead you'll use windows authentication when you use the default Zone url and Forms based authentication when you use the extended zone URL.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
Issues with OSSO ,custom login module and form based authentication
Hi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
AnilHi:
We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
authentication and Custom login module.
Application is going in infinite loop when we we try to login using osso ,from the logs
what I got is looks like tha when we we try to login from OSSO application goes to the login
page and it gets the remote user from request so it forwards it to the home page till now
it is correct behaviour ,but after that It looks like home page find that authentication is
not done and sends it back to the login page and login page again sends it to the home as it
finds that remote user is not null.
Our web.xml form authentication entry looks like this :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
</form-login-config>
</login-config>
While entry in orion-application.xml has the following entry for custom login :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
Whether If I change the authentication type to BASIC and add the following line
in orion-application.xml will solve the issue :
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="SSO" >
</jazn>
Any help regarding it will be appreciated .
Thanks
Anil -
Form Error: form based on a Generic connectivity view
A view was based on a select from a table in a Syabase database (accessed in Oracle using Generic Connectivity).
When I built a block in a Form based on that view, I faced the following error:
ORA-02070: database SYB does not support ROWID in this context.
Also, the same error appeared in the reports accessing the same view.
Can anyone give me a clue to solve this problem plz?
Thanks in advance.I later knew that the issue can be addressed by setting the parameter Key Mode to nonupdatable.
-
Hello Community
In WS2012 and SharePoint 2013 Server is it possible when creating a
web application to enable both Windows Based Authentication/Negotiate
(Kerberos) and enable Forms Based Authentication or does the web application
use either one or the other?
Thank you
ShabeautYes , you can use dual authentication on same web application. You can use same web application , at OOB login page you will have option to use windows or form login.
Or you can extend your web application to a new web app and configure extended web application to use Form Based Authentication(Note extended web application will also show same content database , so the content will same only url will be different)
http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx
http://gj80blogtech.blogspot.in/2013/11/forms-based-authentication-fba-in.html
Thanks
Ganesh Jat [My Blog |
LinkedIn | Twitter ]
Please click 'Mark As Answer' if a post solves your problem or 'Vote As Helpful' if it was useful. -
Form-based Auth for DefaultWebApp
I'm using WLS 6.0 SP2 on WIN2K. I tested the sample security
web app that uses form-based auth and am trying to do something
similar w/ the default web app in mydomain.
Here's my web.xml:
<?xml version="1.0" ?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 1.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<!--
Authentication
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Default</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>system</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/fail_login.html</form-error-page>
</form-login-config>
</login-config>
<!-- Security role which is global to the application -->
<security-role>
<role-name>administrators</role-name>
</security-role>
</web-app>
When I try to access a web page, http://localhost:7001/res/hello.html,
the browser keeps trying to open that
page. It goes on and on.... I never
get challenged w/ the login form, nor
seeing the page. However, when I change
FORM to BASIC, and delete the "form-login-config"
settings, I get challenged w/ the HTTP
basic auth dialog. Enter my credentials
and I get the page.
How do I config the default web app to use form-based
auth?
Thanks for any help you can provide.
-MuwonProblem solved. The definition of your <url-pattern>
(within <web-resource-collection>) can't inlcude where
your logon form is.
"Muwon" <[email protected]> wrote:
>
I'm using WLS 6.0 SP2 on WIN2K. I tested the sample security
web app that uses form-based auth and am trying to do something
similar w/ the default web app in mydomain.
Here's my web.xml:
<?xml version="1.0" ?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
1.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<!--
Authentication
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Default</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>system</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/fail_login.html</form-error-page>
</form-login-config>
</login-config>
<!-- Security role which is global to the application -->
<security-role>
<role-name>administrators</role-name>
</security-role>
</web-app>
When I try to access a web page, http://localhost:7001/res/hello.html,
the browser keeps trying to open that
page. It goes on and on.... I never
get challenged w/ the login form, nor
seeing the page. However, when I change
FORM to BASIC, and delete the "form-login-config"
settings, I get challenged w/ the HTTP
basic auth dialog. Enter my credentials
and I get the page.
How do I config the default web app to use form-based
auth?
Thanks for any help you can provide.
-Muwon -
Has Access Manager yet added the ability to do "form memory" for easy SSO integration to applications performing form based authentication. This is a feature found in products such as Netegrity Siteminder and CA's stuff.
This is easier for legacy applications with closed code than trying to modify the login sequences for these applications.
ZHello Romano,
thank you for assisting so much.
Yes, the text itself is always new, but when i believe what it is saying, the content following is not new.
Or do i only mis-interpret the meaning of that text ? Does it perhaps analogously mean: "He User, the content you see was just fresh constructed and cached in the ApplicationCache and then sent to you" or .
I also found the "com.sap.portal.httpconnectivity.urlfetcherservice" and played with it, but with that i achieve cache settings for all applications used and not for only the one i would like it for.
I posted this also in category "Portal Content Development",
URL iview Cache -> How can i empty the ApplicationCache
and there are also interesting answers.
Kind regards
Andreas -
Hi,
We are have a quite specific issue. The problem is most likely by design in ADFS 3.0 (running on Windows Server 2012 R2) and we are trying to find a "work-around".
Most users in the organization is using their own personal computer and everything is fine and working as expected, single sign-on (WIA) internally to Office 365 and forms based (FBA) externally (using Citrix NetScaler as reverse proxy and load
balancing with the correct rewrites to add client-ip, proxy header and URL-transformation).
The problem occurs for a few (50-100) users where they are sharing the same computer, automatically logged on to the computer using a generic AD-user (same for all of them). This AD-user they are logged on with does not have any access to Office365
and if they try to access SharePoint Online they receive an error that they can't login (from SharePoint Online, not ADFS).
We can't change this, they need to have this generic account logged on to these computers. The issue occurs when a user that has access to SharePoint Online tries to access it when logged on with a generic account.
They are not able to "switch" from the generic account in ADFS / SharePoint Online to their personal account.
The only way I've found that may work is removing IE as a WIA-capable agent and deploy a User-Agent version string specific to most users but not the generic account.
My question to you: Is there another way? Maybe when ADFS sees the generic user, it forces forms based authentication or something like that?
Best regards,
SimonI'd go with your original workaround using the user-agent and publishing a GPO for your normal users that elects to use a user-agent string associated with Integrated Windows Auth.. for the generic accounts, I'd look at using a loopback policy that overwrites
that user agent setting, so that forms logon is preferred for that subset of users. I don't think the Netscaler here is useful in this capacity as it's a front-end proxy and you need to evaluate the AuthZ rules on the AD FS server after the request has been
proxied. The error pages in Windows Server 2012 R2 are canned as the previous poster mentioned and difficult to customize (Javascript only)...
http://blog.auth360.net -
Help with exporting forms based data to Excel 2007
I have a user who is attempting to export forms based data to Microsoft Excel 2007 and when he attempts this he receives a message stating that Windows does not recognise this file type (tsv). I am not too familiar with Office 2007 so I am unable to direct this users as to how to correct this issue.
Is someone able to give me the navigation path to help me to assist this user? thanksDid you verify the file type from Windows Explorer?
1) Right click on My Computer > Explore
2) Go to Tools > Folder Options
3) Click on File Types tab
4) Check if TSV file is defined there or not. If it is not there, click on New and add the File Extension
Maybe you are looking for
-
Multiple Users Accessing Shared Memory
I created a shared memory enabled class, and it works great for a simple scenario. But, it's currently not sufficient for my needs. Here's an example of what I'm trying to accomplish, and the events happen in this order! User 1 writes data XXX to s
-
Changes in Usergroup not possibule
Hi All, I am getting the short dump in sqo3 when trying to change the usergroups in SQ03 , by selecting standard cross client as query area We had opened the Message with SAP and they respond that some SYSTXXXXXXX usergroups was assigned to more th
-
I understand that if I go to "File" and then to "Import" I should be able to somehow get all my previous files that where with the Internet Explorer browser relocated to the Mazilla browser...but I don't know how to do that. Give me detailed help ple
-
4.0 EA2 - Previously Open Files Not Opening on Start
Just started using 4.0 EA2 from 4.0 EA1. Thanks! Noticed is much faster than EA1! I have noticed that previously opened files no longer are being opened when starting SQLDeveloper. Prior to EA2, any files that were open when SQLDeveloper is closed
-
What r the different types item categ r thre ? what is the purposes of its?
what r the different types item categ r thre ? what is the purposes of its?