Using security-constraint in web.xml; not recognizing url-pattern tag
I am creating a very simple jsp application within JDeveloper 10.1.3.1. I have 2 jsp files...a readData.jsp and a maintainData.jsp. I would like to deploy this application to Oracle Application Server 10.1.2.2. I would like to use Oracle Internet Directory with Single Sign on enabled. The deployment to OAS works fine. For the security, I would like an administrator user to get to both pages...and a user to only be able to see the readData.jsp. I used the security constraints on the properties of the web.xml file within JDeveloper. Here is my web.xml file:
<?xml version = '1.0' encoding = 'windows-1252'?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<description>Empty web.xml file for Web Application</description>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>adm_full_access</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adm_all</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>usr_access</web-resource-name>
<url-pattern>readData.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>usr_all</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>usr_all</role-name>
</security-role>
<security-role>
<role-name>adm_all</role-name>
</security-role>
</web-app>
When I deploy to OAS I added an OID account to the adm_all role...this works fine I can log on as that user and get to both jsps. But, when I add my user to the usr_all role within OAS I try to log on to the app...I then enter my SSO username and password and I get Access Denied errors from my browser when trying to access either page. I am confused about the <url-pattern> tag...is that relative to a directory within my deployment? Most of the examples I have seen use servlets...so I was wondering if I can even use the <url-pattern> tag to restrict/allow access to individual jsps? If someone could point me to some documentation on this set-up I would appreciate it!
Thank you.
I was able to get this to work. By doing the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>adm_full_access</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adm_all</role-name>
</auth-constraint>
</security-constraint>
I was restricting access to all other groups by uisng <url-pattern>*</url-pattern>. Any other security-constraints set-up after that will not work. So saying * requires usr_all will restrict ALL webpages to ONLY adm_all, regardless of what future constraints say. So, my first security-constraints lists all directories or pages that every user can access. My next security-constraint then list resources that only my admins (adm_all) can acess. Any other security constraints then are set-up for each user role that I have...if adm_all should have access to these then the <role-name>adm_all</role-name> is added to each security constraint.
Similar Messages
-
RE: security-constraint in web.xml of sunone 6.1
Hello again,
Still url-pattern of security-constraint issue in web.xml of sunone 6.1 (SP5).
I am pretty sure this pattern works fine in SunOne 6.0 and SunOne 6.1 SP2,
<security-constraint>
<url-pattern>/app/jws1/*.jsp</url-pattern>
<url-pattern>/app/jws1/*.jnlp</url-pattern>
</security-constraint>
In SunOne 6.0 or SunOne 6.1 SP2, if I have not yet logged in and type in a url matching the above patterns in a browser, I will be asked for username and password. But in SunOne 6.1 SP5, I won't be asked for username and password.Unfortunately, that's not how <url-pattern> values work. They shouldn't have "worked" in 6.1 SP2. I'm pretty sure they didn't. 6.0 takes a more intuitive, but nonstandard, approach to <url-pattern> wildcards. That nonstandard behaviour was corrected in 6.1.
The Java Servlet Specification 2.3 -- see http://www.jcp.org/aboutJava/communityprocess/final/jsr053/ -- defines the contents of the <url-pattern> as follows:
� A string beginning with a �/� character and ending with a �/*� postfix is used for path mapping.
� A string beginning with a �*.� prefix is used as an extension mapping.
� A string containing only the �/� character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
� All other strings are used for exact matches only.
That means that /app/jws1/* will do what you might expect, as will *.jsp, but /app/jws1/*.jsp will only match the exact URI /app/jws1/*.jsp. /app/jws1/*.jsp will not match a URI such as /app/jws1/filename.jsp.
If you can't construct appropriate authorization rules using <url-pattern>, you may wish to a) restructure your web app or b) use Web Server ACLs. -
Security constraint in Web.xml of tomcat
Hi
I have a web-application running on tomcat . Inside the context folder i have several directories having some pre-defined configuration files . But the user is able to directly access them by typing the path including the fileName in the URL ( I have disabled the listings property however)
How can i prevent accessing the specific files .... I tried using
<security-constraint>
<display-name>Security constarint</display-name>
<web-resource-collection>
<web-resource-name>Java Application</web-resource-name>
<url-pattern>/folder/*</url-pattern>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>OnJava Application</realm-name>
</login-config>
This seems to be working fine , but when the user enters the wrong security info thrice , 401 error page is coming instead i want my custom page . Hence i configured an error page for 401 code which overwrited the earlier behavaiour ie.. that BASIC authentication popup is not coming
Can any one let me know how to go about thisHi ,
I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
<security-constraint>
<web-resource-collection>
<web-resource-name>Declarative Security Test</web-resource-name>
<url-pattern>/SuperServlet</url-pattern>
<url-pattern>/*</url-pattern>
<http-method>post</http-method>
<http-method>get</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>guest</role-name>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>guest</role-name>
<role-name>member</role-name>
</security-role>
The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help. -
Form based authentication problem - security constraint in web.xml
Hi ,
I have j_security_check in my login page
<form name="loginForm" id="loginForm" method="post" action="j_security_check">
<table id="login" align="center" cellspacing="0" cellpadding="0">
<tr>
<td class="label">Name</td>
<td class="value"><input id="j_username" name="j_username" value="" type="text" ></td>
</tr>
<tr>
<td class="label">Password</td>
<td class="value"><input name="j_password" type="password"></td>
</tr>
<tr>
<td colspan="2" class="submit"><input type="submit" name="Submit" value="Log in >>"></td>
</tr>
</table>
</form>
And my web.src consists the following
<security-constraint>
<web-resource-collection>
<web-resource-name>EP</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>EP</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>EPULSE</auth-method>
<realm-name>AuditManager</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
After I start the tomcat server I can go to the login page, however when I enter the username and password and press enter..
http://localhost:8443/au/j_security_check ...
Can you please advise me whether there is a problem in this?
ManishaPlease read the Servlet specification for details on how to specify url-patterns (see section 11.2). Your "index.*" is not a legal pattern. You can only end in "/*" or "*.foo". See Servlet spec.
If after fixing that you have more questions, please include the actual sequence of requests (and responses), preferably from a network snoop. -
Query string in security constraint in web.xml
Hi All
I want to portect following URL in securit-constraint tag of web.xml
/appmanager/website/portal?_nfpb=true&_pageLabel=myaccount
but when i write :
<security-constraint>
<display-name>FormProtectedPages</display-name>
<web-resource-collection>
<web-resource-name>Constraint-0</web-resource-name>
<url-pattern/appmanager/website/portal?_nfpb=true&_pageLabel=myaccount</url-pattern> //line 1
</web-resource-collection>
<auth-constraint>
<role-name>MyRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
It gives me error in line 1 that
"the reference to entity "_pagelabel" must end with ";" delimiter."
What could be the reason for this. Cant i portect URLs of this kind in my web.xml?
Any suggestions would be helpful.
ThanksShabd wrote:
It gives me error in line 1 that
"the reference to entity "_pagelabel" must end with ";" delimiter."
What gives you an error? -
Security constraint in web.xml
Hi All
I want to set a security contraint to verfity my system user, I know I need to put the following section into the tomcat created web.xml. But I dont know where is the web.xml on my Tomcat 4.1.24, because i found many web.xml files in different directory.
Q1) Sorry I know this is a silly question, but can u tell me which web.xml is the one I need to edit in order to set my the security constraint?
Q2) Instead of editing the created Tomcat web.xml, can I create my own web.xml and put it in <Tomcat_Homw>/webapps/ROOT/WEB-INF. This is just only for the security constraint towards my system.
Many many thanks
Kelvin
<security-constraint>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/admin</url-pattern>
<url-pattern>/users</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login-error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>you need to do it for every web-app... thats why there is one web.xml file for each! There is a thing in CATALINA_HOME/conf/server.xml that u can uncomment to enable 'single-logon' which means u cna log on once and be authenticated for every web-app...
root isn't a web-app i don't think... so therefore u can't restrict access to it (someone correct me if wrong)... I don't know what u mean by restricting access to your 'system' -
I have some more problem in the web.xml file and url-pattern in my syste
HI ALL!
How can I create and place the web.xml and URL-parrten.Because I run
the tomcat in my computer with ME system.
Hocwhat is the problem? please be more specific and detailed? check a sample web.xml file and make your own one and place it in your <application-context>\WEB-INF folder..
-
Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. javaRevision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java -
Security in my web.xml in Tomcat 4
Hello,
I was using this application on Tomcat 3 and my web.xml worked perfectly well.
However when I tried to start it on Tomcat 4 there is something wrong with the
security part of my web.xml . If I leave out the security constraint for this application, it
works. However if I make my application secure I am unable to view it in the browser.
It does not try to connect to the login.jsp page for log in , but simply displays the message that the page is unavailable and that I have to refresh my browser. Please help me with that because I am stuck.
Here is my web.xml :
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>UploadServlet</servlet-name>
<servlet-class>UploadServlet</servlet-class>
<init-param>
<param-name>SaveDirectory</param-name>
<param-value>C:\Homeworks\</param-value>
</init-param>
<init-param>
<param-name>Proffesors</param-name>
<param-value>Clayton,Douglass,Guruvado</param-value>
</init-param>
</servlet>
<security-constraint>
<display-name>Protected Homework Upload</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<!--<url-pattern>/servlet/Upload</url-pattern>-->
<url-pattern>/servlet/UploadServlet</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>student</role-name>
<role-name>proffesor</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
Thank you very much for your time and advise. I appreciate it very much
Martinhi,slice
I donot really find exactly what is wrong in your config file. But I have some suggestions:
1.Please use servlet URL mapping in "servlet" tag (for example: "/security/upload") instead of using default servlet URL(just like "/servlet/UploadServlet").
2. In the "url-pattern" tag inside "web-resource-name" ,please using "/security/*", if you are using my suggestion above.
3.Make sure that your "login.jsp" page is in the right place of the application's doc-root.
Make a try and good luck!
Wang Yu
Developer Technical Support
Sun Microsystems
http://sun.com/developers/support -
Wrong security configuration in web.xml
Hi all
I am developing an application with JDeveloper 10.1.3.3 using ADF-BC/JSF. I have followed the example of SRDemo and my .jspx files are located in two folders : public_html/app and public_html/pricelist/
My application will have two user roles. The administrators who access everything and the users that need to access only the pages located in faces/app and get access denied mesages in all pricelist management pages.
I have used file based security and defined users and roles in jaz-data.xml. I have also verified that the data in that file are correct using the isUserInRole() function.
What I cannot get to work correctly is the security in the web.xml since the way I have it both users and admins are granted full access to the faces/app/pricelist pages.
The security constrains on my web.xml look like this :
<security-constraint>
<web-resource-collection>
<web-resource-name>PricelistData</web-resource-name>
<description> Price list management pages</description>
<url-pattern>faces/app/pricelist/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>UserData</web-resource-name>
<url-pattern>faces/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jazn.com</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<role-name>admin</role-name>
</security-role>Can anyone tell me what am I doing wrong, or suggest anything else I should check ?
ThanassisWell you're orion-application.xml file looks okay to me, and addition if the isUserInRole is returning proper values, it's hooked up correctly.
(By the way, a useful bean/free piece of code to do just what you're doing is the JSF-Security scope as written by Duncan Mills on Sourceforge)
As such I'd be looking at the security constraints URLs. You haven't by chance changed the url-pattern for the Faces Servlet? The default is this:
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>...and your url-patterns assumes it starts with faces. Note it is correct in your url-patten to not include a forward slash before faces in the security constraint.
Another thing that springs to mind, when you navigate to the protected page through your menu structure, what URL do you see in the browser? Is it the URL of the page you came from, or the URL of the page you navigated to ... and in addition ..... another thing to try is in your browser, rather than navigating through your menu structure, go straight to the URL of the page. Does the login page then show?
The reason I mention this is if you're using the default navigation style in JSF for JDev 10.1.3 (if memory serves me well, it's direct), the Servlet may not actually inforce your protected page navigation as the navigated-to page is never actually served by the Faces servlet to the JEE engine to enforce security. I think I had a b1tch about this issue in the following OTN Re: ER: JSF direct navigation ignores JAZN container based security. Could this be what you're hitting?
As such try changing the navigation type to redirect.
CM. -
Need api for changing security role in web.xml !!
My requirement is to change the value of the deployment descriptor "security-role" (in web.xml) through an api and inturn to persist the new value in web.xml. Also I need to know if this change is automatically redeployed or an explicit redeployment is needed ? In that case how do I redeploy using an api call ?
I found a lot of apis related to roles like createRole, removeRole etc.. But there are no apis to change the name of the role and inturn persist in web.xml.
Do I need to provide any more information ? Let me know
Thanks,
Karthickwhy and when do you change security-role? try to use ant task (perhaph you need xpath also). it´s the better when you perform task about life´s cycle of application.
please, describe your problem.
of course in you change web.xml you must restart the application. -
Success_URL in web.xml not working - Need help
Hi:
I developed my whole application in Jdeveloper 10.1.3.2 and all the security are done through custom module. Everything is working fine except one of the part that is success_url in web.xml.
1. There are total 10 pages in my application independent of each other.
2. I configured the custom login procedure and it is working fine.
3. From Jdeveloper if I run any page (i.e. one of 10 pages) it is prompting me to login and after login it is redirecting to the page I ran.
My issue is that after the login is completed as in step 3, I want the page to be redirected to predefined page called UserResp.jspx. I don't want to redirect to the page from where the login page was called. As per the notes in the ADF document, I configured the success_url in the adfAuthentication servlet as below. But after login it is not redirecting to the success_url but it is redirecting to the page from where the login was prompted.
Do I need to perform any other step for this success_url to work. Could you please guide.
Below is the details of my web.xml.
<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee">
<description>Empty web.xml file for Web Application</description>
<context-param>
<param-name>javax.faces.CONFIG_FILES</param-name>
<param-value>/WEB-INF/efile-faces-config.xml</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<context-param>
<param-name>CpxFileName</param-name>
<param-value>userinterface.DataBindings</param-value>
</context-param>
<context-param>
<param-name>oracle.adf.view.faces.CHECK_FILE_MODIFICATION</param-name>
<param-value>false</param-value>
</context-param>
<filter>
<filter-name>adfFaces</filter-name>
<filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
</filter>
<filter>
<filter-name>adfBindings</filter-name>
<filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>adfFaces</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<url-pattern>*.jspx</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>faces/app/user/UserResp.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>resources</servlet-name>
<servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>UploadMultiFileServlet</servlet-name>
<servlet-class>oracle.apps.xxcust.servlet.UploadMultiFileServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>resources</servlet-name>
<url-pattern>/adf/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>UploadMultiFileServlet</servlet-name>
<url-pattern>/UploadMultiFileServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>adfAuthentication</servlet-name>
<url-pattern>/adfAuthentication/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<jsp-config/>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
<url-pattern>faces/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>MANAGER</role-name>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/Login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<role-name>MANAGER</role-name>
</security-role>
<security-role>
<role-name>USER</role-name>
</security-role>
</web-app>Hi All:
Thanks for all your help regarding the adfAuthentication success_url. Now I am able to configure to make this work. But now I am facing another issue i.e. I am getting 401 Not authorized message when the success_url is pointed to the jspx page.
Note: I am using custom login module similar to DBProcOraDataSourceLoginModule so my roles are stored in the custom Role class. So I am not sure how to pass this role info to the security in ADF in order to authorize the page to be viewed.
Could you please help and can you point me to any specific link.
Thanks & Regards
Sridhar Doki -
Hi all,
1)I have webapplication , I want to use form authentication to security it , under my root test , I have login.html, and secure folder ( group of pages),
I have two tables in my sql server , they are users, and user_role, mean time I give every user role member.
2) in my conf/server
I have <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.microsoft.jdbc.sqlserver.SQLServerDriver"
connectionURL="jdbc:microsoft:sqlserver://localhost:1433"
connectionName="test" connectionPassword="1234"
userTable="users" userNameCol="Name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />in my root test, I have web xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<welcome-file>Home.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>member</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Home.html</form-login-page>
<form-error-page>/ErrorLogin.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app> if I take away the security <auth-constraint>
<role-name>member</role-name>
</auth-constraint> in my web xml the whole application work fine after login, jump from page to page, action to action. but if I add it , I only can go to one page , every time I click the link it jump back to login page .
What mistake I make??
Best regard.Hi,
I'm assuming you invoking the JWS from JPD via a service control.
In this case, the serviceControl has setUsername and setPassword method which will allow you to specify the username and password
cheers
Raj -
Weblogic.servlet.reloadCheckSecs in web.xml not working
Given the following web.xml file:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
1.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<context-param>
<param-name>weblogic.servlet.reloadCheckSecs</param-name>
<param-value>100</param-value>
</context-param>
<servlet>
<servlet-name>CookieCounter</servlet-name>
<servlet-class>servlets.CookieCounter</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CookieCounter</servlet-name>
<url-pattern>monster</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>hello.html</welcome-file>
</welcome-file-list>
<error-page>
<error-code>404</error-code>
<location>/error.jsp</location>
</error-page>
</web-app>
It seems the weblogic.servlet.reloadCheckSecs property is not taking effect.
The
default value of -1 is always used. I did stop and restart weblogic.
I also trid to set the servlet classpath in the web.xml file with
weblogic.servlet.classpath
property and it did not change the classpath for the servlet. It seems that
other
items are working such as adding new servletrs to the web application. Note
that
this is the cookie sample application that installes with the beta 2
download.
Thanks,
Dan.
Hi All:
Thanks for all your help regarding the adfAuthentication success_url. Now I am able to configure to make this work. But now I am facing another issue i.e. I am getting 401 Not authorized message when the success_url is pointed to the jspx page.
Note: I am using custom login module similar to DBProcOraDataSourceLoginModule so my roles are stored in the custom Role class. So I am not sure how to pass this role info to the security in ADF in order to authorize the page to be viewed.
Could you please help and can you point me to any specific link.
Thanks & Regards
Sridhar Doki -
Error creating acl for (resource). I get this error when entering security info in web.xml.
We're using iWS 6.0. Is there some security configuration that needs to be done in order to use standard security directives in our web application's web.xml?
Thanks!Hi ,
I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
<security-constraint>
<web-resource-collection>
<web-resource-name>Declarative Security Test</web-resource-name>
<url-pattern>/SuperServlet</url-pattern>
<url-pattern>/*</url-pattern>
<http-method>post</http-method>
<http-method>get</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>guest</role-name>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>guest</role-name>
<role-name>member</role-name>
</security-role>
The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help.
Maybe you are looking for
-
Need link to .exe file to re-install/update Muse
Never works when launching app in Win 8, always have to uninstall application, then come her to get a link to re-install. Please help. TX!
-
Upgrading WLS+ADF to 11.1.1.6: problem with ADF libraries
Hi, I'm upgrading a standalone ADF environment (on RHEL5 64-bit) from 11.1.1.2.0 to 11.1.1.6.0. I followed note 1408663.1 "How to upgrade a WLS domain extended with ADF libraries" so first upgraded WLS to 10.3.6., then uninstalled Application Develop
-
SMTP Error: 5.3.4 & aliasdetourhost
Hi. Version of SJMS: Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit) libimta.so 6.3-4.01 (built 17:13:29, Aug 3 2007; 32bit) SunOS mess1 5.10 Generic_125100-10 sun4u sparc SUNW,Sun-Fire-V440 My problem: I have configured email
-
R/H wihtout numbers in Text variables
Hi all, I need clarification about the Running Header. In my job, H1 style comes in (ex. 1.1 Introduction, 1.2 Sun) etc., In the Running Head i need H1 text only not numbers. Is it possible in Text variables? Thanks in advance
-
Wired BEFW11S4 frequently loses connection to internet. Fix?
Hi. I use a BEFW11S4 router wired into my home computer. There is also a wireless network connected to the internet through this router at my home. I am having a strange and frequent problem of losing connection to the internet on my wired computer