Tomact examples and form base authentication

I am looking at the tomcat examples web.xml security constrains and login info settings:
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
     <!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/security/protected/*</url-pattern>
     <!-- If you list http methods, only those methods are protected -->
     <http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
     <http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
     <role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
As we can see form-login page and form-error page uri match url-pattern settings.
url-pattern: /jsp/security/protected/*
form-login page: /jsp/security/protected/login.jsp
form-error page: /jsp/security/protected/error.jsp
There is no binding of unauthenticated user to ether one of specified roles
Question: What place in the servlet spec allows serving secured resource for a user without appropriate role association?

Kinda then beat the the whole idea of authentication then, if you allow a user in that is not assigned to a security role? Anyway, I think you are looking to send the user to another page if they are not in a role but have an id, correct? Well, first it has to be a page outside the secure directory/ies. The error it generates is a 403. So add to your web.xml:
    <error-page>
       <error-code>403</error-code>
       <location>/403.jsp</location>
    </error-page>Anytime a user who is not a member of the allowed roles attempts a login, they will be redirected to this page.
Ross

Similar Messages

  • Security - Password Expiration with Form Base Authentication

    Hi everbody,
    I have configured the security of my application and this works
    fine.
    I configured the roles and match roles with groups defined in my
    LDAP
    I used the form base authentication. Perfect, but now I configure in
    LDAP
    that the user password can be expired, and the user can change password.
    My problem is when the user try to log at my application and the
    password was expired, I need to allow that user change the password
    ( showing another pag, and ask about the new password).
    Nowadays when the user try to log and the password was expired the
    page that I have set for my login error page (form base authentication)
    is call, this page is call if the user is invalid or the password is
    invalid too.
    I have try to get the exception at this page using :
    String codeObj =
    req.getAttribute("javax.servlet.error.status_code");
    String messageObj =
    req.getAttribute("javax.servlet.error.message");
    String typeObj =
    req.getAttribute("javax.servlet.error.exception_type");
    But all of this String are null. It's independent if the user is
    invalid or the password or either if the password was expired.
    I always get this null Strings. But if the person isn't authorized I
    call another pag and at this time I can get the code, message
    and the exception type
    So my question is how can I treat this ? how can I get this kind of
    exception ?
    I also make a java application that only try to connect with Ldap,
    and if the password is expired
    I can get the com.netscape.LDAPExpection with code 45 and message
    Invalid Credential.
    Is it impossible to get this exception in my actual solution ? I
    need to make one component for that ?
    Someone can help me ?
    Any tip will be good !!
    Thanks
    Daniela Pistelli Gomes
    Technical Consultant
    Summa Technologies
    http://www.summa-tech.com

    Hi Robert,
    thanks very much for ur pointers on the AuthFilter class.. will try that out.
    Robert Greig <[email protected]> wrote:
    Stephen wrote:
    I am using WLS 6.1 and tried using a custom filter to intercept theauthentication
    request submitted from a FORM BASE jsp (using the j_security_checkform).
    However, no matter what i've tried, it is always the authenticationpart that
    gets executed before the filter.
    Any idea how could I intercept the request before the j_security_checkservlet
    calls the security provider for authentication?There is a (now deprecated) class weblogic.servlet.security.AuthFilter.
    I haven't used it because it is deprecated but I think it does what
    you're after.
    In my apps, I make the FORM auth submit to my own servlet which can then
    do what j_security_check does (most although not all is accessible
    through public APIs).
    Robert

  • 5.1 sp9 and Form Base login

    Hi,
    We've just upgraded to 5.1 sp9 from sp8 and the form base login seem to have died.
    We are using LDAPRealm to authenticate and ServletAuthentication class for the
    form login.
    This is the error we get
    java.lang.SecurityException: Authentication for user adminuser denied in realm
    wl_realm
    at weblogic.rmi.extensions.AbstractRequest.sendReceive(AbstractRequest.java:76)
    at weblogic.jndi.toolkit.BasicWLContext_WLStub.lookup(BasicWLContext_WLStub.java:246)
    at weblogic.jndi.toolkit.WLContextStub.lookup(WLContextStub.java:545)
    at javax.naming.InitialContext.lookup(InitialContext.java:350)
    at com.citec.payserv.AdminStart.setEJBHomeInterface(AdminStart.java:213)
    at com.citec.payserv.AdminStart.doGet(AdminStart.java:412)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:865)
    at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:120)
    at weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImpl.java:915)
    at weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImpl.java:879)
    at weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletContextManager.java:269)
    at weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:365)
    at weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:253)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:129)
    Seems strange that it is referencing wl_realm and not LDAPRealm. It was working
    on sp8, is anybody aware of anything like this?

    seems like a regression in SP9.
    I have filed a bug report. In case if you contact support refer CR046236
    Kumar
    Peter Buus wrote:
    I have just downloaded SP9 and now my defaultFileName does'nt work any more.
    I used to have the following entry
    weblogic.httpd.initArgs.file=defaultFilename=/menu/start.htm
    Prior to SP9 a request to http://myserver would yield
    http://myserver/menu/start.htm
    Now WL 5.1 presents a directory browsing of the root. It works if
    http://myserver/menu is requested.
    However, I have a lot of users using http://myserver - is there any way to
    include a directory in a defaultfilename?
    Thanks/Peter

  • SP4 and Form Based Authentication

    Hi,
    I had just advised a customer to apply SP4 to WLS and
    then plug in the 'source code' patch, he replied that he had
    been informed that SP4 breaks Form Based Authentication for
    war web apps?
    Can anyone confirm/deny this for me please ?
    regards,
         Patrick.

    Hehe Hiya Patrick!, that was Me! seems we use the same hot source of info :)
    Cheers
    Rob :)
    "Patrick Byrne" <[email protected]> wrote in message
    news:[email protected]..
    Hi,
    I had just advised a customer to apply SP4 to WLS and
    then plug in the 'source code' patch, he replied that he had
    been informed that SP4 breaks Form Based Authentication for
    war web apps?
    Can anyone confirm/deny this for me please ?
    regards,
    Patrick.

  • Issues with OSSO ,custom login module and form based authentication

    Hi:
    We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
    authentication and Custom login module.
    Application is going in infinite loop when we we try to login using osso ,from the logs
    what I got is looks like tha when we we try to login from OSSO application goes to the login
    page and it gets the remote user from request so it forwards it to the home page till now
    it is correct behaviour ,but after that It looks like home page find that authentication is
    not done and sends it back to the login page and login page again sends it to the home as it
    finds that remote user is not null.
    Our web.xml form authentication entry looks like this :
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/jsp/login.jsp</form-login-page>
    <form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
    </form-login-config>
    </login-config>
    While entry in orion-application.xml has the following entry for custom login :
    <jazn provider="XML">
         <property name="custom.loginmodule.provider" value="true" />
    <property name="role.mapping.dynamic" value="true" />
    </jazn>
    Whether If I change the authentication type to BASIC and add the following line
    in orion-application.xml will solve the issue :
    <jazn provider="XML">
         <property name="custom.loginmodule.provider" value="true" />
    <property name="role.mapping.dynamic" value="true" />
    <jazn-web-app auth-method="SSO" >
    </jazn>
    Any help regarding it will be appreciated .
    Thanks
    Anil

    Hi:
    We are facing issues with OSSO (Oracle Single Sign on ),Our application use the form based
    authentication and Custom login module.
    Application is going in infinite loop when we we try to login using osso ,from the logs
    what I got is looks like tha when we we try to login from OSSO application goes to the login
    page and it gets the remote user from request so it forwards it to the home page till now
    it is correct behaviour ,but after that It looks like home page find that authentication is
    not done and sends it back to the login page and login page again sends it to the home as it
    finds that remote user is not null.
    Our web.xml form authentication entry looks like this :
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/jsp/login.jsp</form-login-page>
    <form-error-page>/jsp/couldnotlogin.jsp</form-error-page>
    </form-login-config>
    </login-config>
    While entry in orion-application.xml has the following entry for custom login :
    <jazn provider="XML">
         <property name="custom.loginmodule.provider" value="true" />
    <property name="role.mapping.dynamic" value="true" />
    </jazn>
    Whether If I change the authentication type to BASIC and add the following line
    in orion-application.xml will solve the issue :
    <jazn provider="XML">
         <property name="custom.loginmodule.provider" value="true" />
    <property name="role.mapping.dynamic" value="true" />
    <jazn-web-app auth-method="SSO" >
    </jazn>
    Any help regarding it will be appreciated .
    Thanks
    Anil

  • MOBI SSO with trusted authentication and form based authentication

    Dear All,
    I am trying to configure Trusted authentication based SSO FOR MOBI, here are the details:
    - SAP BI 4.1 SP04
    - Trusted authentication with HTTP header configurred for BI Launchpad and working fine.
    Now to have SSO from Mobile, I plan to leverage the existing configuration of BI Launchpad and at Mobile level, I want to use authentication type as TRUSTED_AUTH_FORM, instead of TRUSTED_AUTH_BASIC, with the approach: Trusted authentication with HTTP header.
    And
    Provide our app users their X502 certs.
    1. Will the above approach work ??
    2. As per SAP NOTE: 2038165 - SSO using form based trusted auth gives with the SAP BI app for iOS gives error MOB00920 this does not work and is still under investigation from July last year ? So for any community member, has this been found working ??
    I would appreciate your valuable inputs.
    Regards,
    Sarvjot Singh

    Hi,
    According to your post, my understanding is that you want to know the difference of the SharePoint three type user authentications.
    Windows claims-based authentication uses your existing Windows authentication provider (Active Directory Domain Services [AD DS]) to validate the credentials of connecting clients. Use this authentication to allow AD DS-based accounts access to SharePoint
    resources. Authentication methods include NTLM, Kerberos, and Basic.
    Forms-based authentication can be used against credentials that are stored in an authentication provider that is available through the ASP.NET interface
    SAML token-based authentication in SharePoint 2013 requires coordination with administrators of a claims-based environment, whether it is your own internal environment or a partner environment.
    There is a good article contains all the SharePoint Authentications, including how they work and how to configure.
    http://sp77.blogspot.com/2014/02/authentication-in-sharepoint-2013_5.html#.VFcyQ_mUfkJ
    Thanks & Regards,
    Jason
    Jason Guo
    TechNet Community Support

  • Office Web Apps and Forms Based Authentication

    Is it possible to use Office Web Apps Server 2013 to give external SharePoint Foundation 2013 clients access to Office documents in a View only capacity?
    Does FBA work with Office Web Apps or would external users have to at least have a Windows CAL in AD if we are just using SharePoint Foundation?

    Hi,
    It may be possible.
    Here are some links for your situation:
    http://technet.microsoft.com/en-us/library/ff431682(v=office.15).aspx
    http://blogs.technet.com/b/office_web_apps_server_2013_support_blog/archive/2014/03/20/office-web-apps-2013-errors-previewing-viewing-editing-documents-when-using-fba-in-the-extended-zone-but-not-the-default-zone.aspx
    http://technet.microsoft.com/en-us/library/ee806890(v=office.15).aspx
    Office Web Apps can be used only by SharePoint 2013 web applications that use claims-based authentication.
    There is a known issue when using Office Web App in the extended zone with FBA, but not the default zone. Please configure FBA authentication in the Default zone in case of that.
    Hope it helps.
    Regards,
    Rebecca Tu
    TechNet Community Support

  • Form-based authentication problem with weblogic

    Hi Everyone,
    The following problem related to form-based authentication
    was posted one week ago and no reponse. Can someone give it
    a shot? One more thing is added here. When I try it on J2EE
    server and do the same thing, I didn't encounter this error
    message, and I am redirected to the homeage.
    Thanks.
    -John
    I am using weblogic5.1 and RDBMSRealm as the security realm. I am having the following problem with the form-based authentication login mechanism. Does anyone have an idea what the problem is and how to solve it?
    When I login my application and logout as normal procedure, it is OK. But if I login and use the browser's BACK button to back the login page and try to login as a new user, I got the following error message,
    "Form based authentication failed. Could not find session."
    When I check the LOG file, it gives me the following message,
    "Form based authentication failed. One of the following reasons could cause it: HTTP sessions are disabled. An old session ID was stored in the browser."
    Normally, if you login and want to relogin without logout first, it supposes to direct you to the existing user session. But I don't understand why it gave me this error. I also checked my property file, it appears that the HTTP sessions are enabled as follows,
    weblogic.httpd.session.enable=true

    Hi...
    Hehe... I actually did implement the way you implement it. My login.jsp actually checks if the user is authenticated. If yes, then it will forward it to the home page. On the other hand, I used ServletAuthentication to solve the problem mentioned by Cameron where Form Authentication Failed usually occurs for the first login attempt. I'm also getting this error occasionally. Using ServletAuthentication totally eliminates the occurence of this problem.
    I'm not using j_security_check anymore. ServletAuthentication does all the works. It also uses RDBMSRealm to authenticate the user. I think the biggest disadvantage I can see when using ServletAuthentication is that the requested resource will not be returned after authentication cause the page returned after authenticating the user is actually hard coded (for my case, it's the home.jsp)
    cheers...
    Jerson
    "John Wang" <[email protected]> wrote:
    >
    Hi Jerson,
    I tried your code this weekend, it didn't work in my case. But
    I solved my specific problem other way. The idea behind my problem is that the user tries to relogin when he already logs in. Therefore, I just redirect the user into another page when he is getting the login page by htting the BACK button, rather than reauthenticate the user as the way you did.
    But, I think your idea is very helpful if it could work. Problems such multiple concurrence logins can be solved by pre-processing.
    In your new code, you solved the problem with a new approach. I am just wondering, do you still implement it with your login.jsp file? In other word, your action in login.jsp is still "Authenticate"? Where do you put the URL "j_security_check"?
    Thanks.
    -John
    "Jerson Chua" <[email protected]> wrote:
    I've solved the problem by using ServletAuthentication. So far I'm not getting the error message. One of the side effects is that it doesn't return the requested URI after authentication, it will always return the home page.
    Jerson
    package com.cyberj.catalyst.web;
    import weblogic.servlet.security.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.io.*;
    public class Authenticate extends HttpServlet {
    private ServletAuthentication sa = new ServletAuthentication("j_username", "j_password");
    public void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, java.io.IOException {
    int authenticated = sa.weak(request, response);
    if (authenticated == ServletAuthentication.NEEDS_CREDENTIALS ||
    authenticated == ServletAuthentication.FAILED_AUTHENTICATION) {
    response.sendRedirect("fail_login.jsp");
    } else {
    response.sendRedirect("Home.jsp");
    public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, java.io.IOException {
    doPost(request, response);
    "Jerson Chua" <[email protected]> wrote:
    The problem is still there even if I use page redirection. Grrr... My boss wants me to solve this problem so what are the alternatives I can do? Are there any other ways of authenticating the user? In my web tier... I'm using isUserInRole, getRemoteUser and the web tier actually connects to EJBs. If I implement my custom authentication, I wouldn't be able to use this functionalities.
    Has anyone solved this problem? I've tried the example itself and the same problem occurs.
    Jerson
    "Cameron Purdy" <[email protected]> wrote:
    Jerson,
    First try it redirected (raw) to see if that indeed is the problem ... then
    if it works you can "fix" it the way you want.
    Peace,
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    +1.617.623.5782
    WebLogic Consulting Available
    "Jerson Chua" <[email protected]> wrote in message
    news:[email protected]...
    Hi...
    Thanks for your suggestion... I've actually thought of that solution. Butusing page redirection will expose the user's password. I'm thinking of
    another indirection where I will redirect it to another servlet but the
    password is encrypted.
    What do you think?
    thanks....
    Jerson
    "Cameron Purdy" <[email protected]> wrote:
    Maybe redirect to the current URL after killing the session to let the
    request clean itself up. I don't think that a lot of the request (such
    as
    remote user) will be affected by killing the session until the nextrequest
    comes in.
    Peace,
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    +1.617.623.5782
    WebLogic Consulting Available
    "Jerson Chua" <[email protected]> wrote in message
    news:[email protected]...
    Hello guys...
    I've a solution but it doesn't work yet so I need your help. Because
    one
    of the reason for getting form base authentication failed is if an
    authenticated user tries to login again. For example, the one mentionedby
    John using the back button to go to the login page and when the user logsin
    again, this error occurs.
    So here's my solution
    Instead of submitting the page to j_security_check, submit it to a
    servlet
    which will check if the user is logged in or not. If yes, invalidates its
    session and forward it to j_security_check. But there's a problem in this
    solution, eventhough the session.invalidate() (which actually logs theuser
    out) is executed before forwarded to j_security_check, the user doesn't
    immediately logged out. How did I know this, because after calling
    session.invalidate, i tried calling request.RemoteUser() and it doesn't
    return null. So I'm still getting the error. What I want to ask you guyis
    how do I force logout before the j_security_check is called.
    here's the code I did which the login.jsp actually submits to
    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.io.*;
    public class Authenticate extends HttpServlet {
    public void doPost(HttpServletRequest request, HttpServletResponseresponse)
    throws ServletException, java.io.IOException {
    if (request.getRemoteUser() != null) {
    HttpSession session = request.getSession(false);
    System.out.println(session.isNew());
    session.invalidate();
    Cookie[] cookies = request.getCookies();
    for (int i = 0; i < cookies.length; i++) {
    cookies.setMaxAge(0);
    getServletContext().getRequestDispatcher("/j_security_check").forward(reques
    t, response);
    public void doGet(HttpServletRequest request, HttpServletResponseresponse)
    throws ServletException, java.io.IOException {
    doPost(request, response);
    let's help each other to solve this problem. thanks.
    Jerson
    "Jerson Chua" <[email protected]> wrote:
    I thought that this problem will be solved on sp6 but to my
    disappointment, the problem is still there. I'm also using RDBMSRealm,same
    as John.
    Jerson
    "Cameron Purdy" <[email protected]> wrote:
    John,
    1. You are using a single WL instance (i.e. not clustered) on that
    NT
    box
    and doing so without a proxy (e.g. specifying http://localhost:7001),
    correct?
    2. BEA will pay more attention to the problem if you upgrade to SP6.If
    you don't have a reason NOT to (e.g. a particular regression), then
    you
    should upgrade. That will save you one go-around with support: "Hi,I
    am
    on SP5 and I have a problem.", "Upgrade to SP6 to see if that fixes
    it.
    Call back if that doesn't work."
    3. Make sure that you are not doing anything special before or after
    J_SECURITY_CHECK ... make sure that you have everything configuredand
    done
    by the book.
    4. Email BEA a bug report at [email protected] ... see what they say.
    Peace,
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    +1.617.623.5782
    WebLogic Consulting Available
    "John Wang" <[email protected]> wrote in message
    news:[email protected]...
    Cameron,
    It seems to me that the problem I encountered is different a little
    from
    what you have, evrn though the error message is the same eventually.
    Everytime I go through, I always get that error.
    I am using weblogic5.1 and sp5 on NT4.0. Do you have any solutions
    to
    work
    around this problem? If it was a BUG as you
    pointed out, is there a way we can report it to the Weblogic
    technical support and let them take a look?
    Thnaks.
    -John
    "Cameron Purdy" <[email protected]> wrote:
    John,
    I will verify that I have seen this error now (after having read
    about it
    here for a few months) and it had the following characteristics:
    1) It was intermittent, and appeared to be self-curing
    2) It was not predictable, only seemed to occur at the first
    login
    attempt,
    and may have been timing related
    3) This was on Sun Solaris on a cluster of 2 Sparc 2xx's; the
    proxy
    was
    Apache (Stronghold)
    4) After researching the newsgroups, it appears that this "bug"
    may
    have gone away temporarily (?) in SP5 (although Jerson Chua
    <[email protected]> mentioned that he still got it in SP5)
    I was able to reproduce it most often by deleting the tmpwar and
    tmp_deployments directories while the cluster was not running,
    then
    restarting the cluster. The first login attempt would fail(roughly
    90%
    of
    the time?) and that server instance would then be ignored by the
    proxy
    for a
    while (60 seconds?) -- meaning that the proxy would send all
    traffic,
    regardless of the number of "clients", to the other server in thecluster.
    As far as I can tell, it is a bug in WebLogic, and probably has
    been
    there
    for quite a while.
    Peace,
    Cameron Purdy
    Tangosol, Inc.
    http://www.tangosol.com
    +1.617.623.5782
    WebLogic Consulting Available
    "John Wang" <[email protected]> wrote in message
    news:[email protected]...
    Hi Everyone,
    The following problem related to form-based authentication
    was posted one week ago and no reponse. Can someone give it
    a shot? One more thing is added here. When I try it on J2EE
    server and do the same thing, I didn't encounter this error
    message, and I am redirected to the homeage.
    Thanks.
    -John
    I am using weblogic5.1 and RDBMSRealm as the security realm. I
    am
    having
    the following problem with the form-based authentication login
    mechanism.
    Does anyone have an idea what the problem is and how to solve it?
    When I login my application and logout as normal procedure, it
    is
    OK.
    But
    if I login and use the browser's BACK button to back the login
    page
    and
    try
    to login as a new user, I got the following error message,
    "Form based authentication failed. Could not find session."
    When I check the LOG file, it gives me the following message,
    "Form based authentication failed. One of the following reasons
    could
    cause it: HTTP sessions are disabled. An old session ID was stored
    in
    the
    browser."
    Normally, if you login and want to relogin without logout first,
    it
    supposes to direct you to the existing user session. But I don'tunderstand
    why it gave me this error. I also checked my property file, it
    appears
    that
    the HTTP sessions are enabled as follows,
    weblogic.httpd.session.enable=true

  • Form based authentication HTTP 403 access forbidden in WL 8.1

    Hi there..
    I found following message posted in April-2004 by Sandeep very useful.
    I also ended up getting the following HTTP 403 Forbidden access error while using Pageflow controller and Form based authentication.
    I noticed 2 things. If you have a normal webapp A, which is a plain old webapp (which does not use pageflow..workshop etc..) then the following error does not occur.
    It only happens with those webapps which utilizes WL 8.1's pageflow features. Note that I am not using nested page flows. I just used 1 pageflow controller and wanted to have the form based login feature for the same.
    BEA's samples on form authentication talks about nested page flows and javax.security.auth.login.FailedLoginException and etc.. are they only applicable to nested pageflows?
    can't I use the same to capture failed login exception within a single controller?
    I tried out putting FailedLoginException exception-handler in Global.app file but it didn't catch it. Only the following work around worked. is this a bug in WL 8.1 workshop? or I am missing something.
    I would appreciate if someone can clear this doubt.
    I am using WL 8.1 with sp3.
    Rajesh
    Hey guys,
    I could find the solution for my problem. Here it is
    We need to add following lines of code in the erro.jsp page.
    <form action"j_security_check>
    ....write the error mesage....
    </form>
    You will get rid of "403 Forbidden page" error.
    Thanks,
    Sandip
    [email protected] (Sandip Atkole) wrote in message news:<[email protected]>...
    I am trying to set up Form-Based Authentication on WebLogic 8.1
    The Problem:
    If the user provides correct userid/password, he gets access to the
    protected resource as required, but if he provides incorrect
    userid/password, he gets a 403 Forbidden page, instead of getting the
    login failure page.
    The Descriptors:
    WEB.XML
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/Login.jsp</form-login-page>
    <form-error-page>/LoginError.jsp</form-error-page>
    </form-login-config>
    </login-config>
    Why doesn't it redirect to "/LoginError.jsp" instead of showing the
    403 Forbidden page?
    Thanks in advance
    Sandip

    It seems like a bug. However when I explicitly reset the error using set status it worked for me. I added following code in my error jsp .
    <%     
         response.setHeader("conent-type","text/html");
         response.setStatus(200);
    %>

  • Enabling CLIENT-CERT and FORM authentication in same web-app

    Hi!
    I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
    My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
    1. If client does not send tokens in request, then set response header:
    response.setHeader("WWW-Authenticate", "Negotiate");
    response.sendError(response.SC_UNAUTHORIZED);
    This works fine and client starts to send his tokens
    2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
    RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
    dispatcher.forward(request, response);
    3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
    log-in page is as defined in edocs:
    <form method="POST" action="j_security_check">
         <table border=1>
              <tr>
                   <td>Username:</td>
                   <td><input type="text" name="j_username"></td>
              </tr>
              <tr>
                   <td>Password:</td>
                   <td><input type="password" name="j_password"></td>
              </tr>
              <tr>
                   <td colspan=2 align=right><input type=submit value="Submit"></td>
              </tr>
         </table>
    </form>
    Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
    I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
    Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...

    Solution found:
    The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
    In your web.xml, forward your 401 code to login page:
    <error-page>
    <error-code>401</error-code>
    <location>/form_login_page.html</location>
    </error-page>
    There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

  • Can you enable both Windows Based Authentication and Forms Based Authenication for the same web application?

    Hello Community
        In WS2012 and SharePoint 2013 Server is it possible when creating a
    web application to enable both Windows Based Authentication/Negotiate
    (Kerberos) and enable Forms Based Authentication or does the web application
    use either one or the other?
        Thank you
        Shabeaut 

    Yes , you can use dual authentication on same web application. You can use same web application , at OOB login page you will have option to use windows or form login.
    Or you can extend your web application to a new web app and configure extended web application to use Form Based Authentication(Note extended web application will also show same content database , so the content will same only url will be different)
    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx
    http://gj80blogtech.blogspot.in/2013/11/forms-based-authentication-fba-in.html
    Thanks
    Ganesh Jat [My Blog |
    LinkedIn | Twitter ]
    Please click 'Mark As Answer' if a post solves your problem or 'Vote As Helpful' if it was useful.

  • Form based authentication getting logged in username and role

    Hi
    I have implemented a simple Form based authentication in my web site.
    I have maintained tomcat-users.xml file for user names, passwords and roles.
    Once my user is authenticated, I need to access his name and role in website.
    How can this be done.
    Please guide.
    Thanks

    The request object should contain the information, e.g. use request.getRemoteUser().

  • FORM Based Authentication and Browser Refreshing

    We are using FORM Based Authentication in our web application and it works rather well. I have noticed an interesting bit of behavior that I am unable to explain. After an attempt is made to access the first protected resource the container will display the login page specified in the web.xml file. After successful authentication the original protected resource is displayed as expected. In the Address line of the browser however the original URI requested is now replaced with the following:
    http://<domain>:<port>/<root>/j_security_check
    Now, when we hit the refresh button on the browser we get the following error:
    404 Not Found
    Resource /<domain>/j_security_check not found on this server
    Two questions. 1. why does it do this? and/or (more importantly) 2. How do I prevent this behavior or work around it?

    I�m trying to figure out how to pass the user�s ID
    and password, using form-based authentication and
    file realm, to our JDBC connection. Two separate issues.
    I've usually seen it done where there are three tiers, of course. The user provides login credentials from the view tier, which are passed to the controller tier. The controller will validate the user against a database or LDAP. Once they're validated, the credentials are put into session and provided for all apps that need them, including the persistence tier.
    The connection pool requires that you create connections using an application ID, not the user ID. You have to move the security out of the database and into the application.
    %

  • Form-based authentication and JSF

    I am trying to use a form-based authentication in Tomcat 6, and from what I understand the page that contains the login form can not be a JSF page.
    The problem I'm having with this is that I need the client's username and password accessible from my backing bean, but I don't know how to put them there from a standard JSP.
    Before all this, I had a simple login form with username/password fields that were bound to a bean, and a button that executed a bean method that would perform the login procedure, retrieve the client's data from the DB and create a Client object in the session to be accessible throughout the application. Now, I need to use container managed access control with form-based authentication, and I know how to set it up but don't know how to create the Client object if the container does all the authentication and I never even get a hold of a username/password combination let alone the rest of the client's data.
    Any advice on this would be greatly appreciated.

    alf.redo wrote:
    ...following article: [j2ee_security_a_jsf_based_login_form|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form]
    This is exactly the solution I am planning to use. It is good to know there are others who have decided to go that way.
    Thanks

  • Form Based Authentication in Tomcat, getting login and password

    Sorry for my English.
    How I can guess login and password strings of an user, from error page (JSP)using "Form Based Authentication of Tomcat"?
    I need know it to lock the count each 3 error tries (if login is ok but
    password is bad, insteed).
    Methods 'getRemoteUser', 'isUserInRole' and 'getUserPrincipal' of
    HttpServletRequest interface have this result: If no user has been
    authenticated, returns null, false and null respectly. For this reason, they aren't utils for me.
    If I don�t know login what user writed, I can't lock his/her count.
    Exist solution for this? Thanks

    hi i am also facing the same problem. could u please tell me how u overcame the situation ?
    u will reallly pull me out of my troubles
    thanx in advance
    [email protected]

Maybe you are looking for

  • Creating a restore image on an external drive with package install options

    Hi, I'm looking to use a combination of tools maybe Deploy Studio, System Image Utility etc to create an image that isn't Netbooted but rather on an external drive (a fast Thunderbolt raid enclosure) - a restorable image which will contain OSX setup

  • XI - Idoc scenario

    Hi, We use File <-> XI -> IDoc scenario. XI picks the Text file from the fileserver & we have BPM to do the intial validations. If the validation fails, then the file is again sent back to the fileserver by attaching a trailer record to the file. If

  • How do i clean cache and harddrive

    I have deleted many photos and files not currently needed.  But my hard drive still is quite ful.  How do i clean it out further?

  • Changes not reflected in table CDHDR/CDPOS using production order(CO02)

    Hi experts.. i want to extract all the changed\new entries from table RESB (reservation table). The object class for this table is ORDER. I m using CDHDR/CDPOS tables for retrieving the changes. But the changes reflected in RESB using Service Order t

  • Changing RMI Port in HTTP adapter in interconnect

    Hi I need to change the RMI port for one of my HTTP adapters in Interconnect. I have changed it in the adapter.ini and in the web.xml files. I have then recreated the JAR/EAR files and redeployed the application to the oai component. The adapter star