Web form based authentication. HOW ????
So , I've read almost all the forums and the specs that I could find and I still dont get it.
How do you form based authenticate a user ?
The unclear part is how/where is "j_security_check" mapped to ??
Is the Web Container taking care of that?
If it does, how do I configure the web container to access the database (all the username/password are in there)?
If not, I suppose I need a custom servlet that will pull the username/password from the db. The question is how do I tell the web container that the user credentials are verified??
Any suggestions or code samples are welcome!
Thanks,
mihut_m
If you're using Tomcat, try:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#JDBCRealm
and
http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html
Basically you:
1) create a login and an error page. The form for the login must post with an action of "j_security_check" with a field named "j_username" and anoter named "j_password"
2) you tell tomcat (in server.xml) what realm to use and you configure it accordingly
3) in WEB-INF/web.xml you set the parameter for your security constraints.
Patrick
Similar Messages
-
How To Use HttpUnit With FORM-based Authentication?
I'm just getting started with HttpUnit, and I'm having a problem:
How does one use HttpUnit with FORM-based authentication?
I have a Web app where I specify a number of protected URLs. When a user tries to invoke one of them in a browser, Tomcat 4.1.30 brings up a login page that I specified and asks for a username and password. The values given by the user is checked against the tomcat-users.xml file. If the user is valid, Tomcat
forwards the response from the original request. If invalid, an error page is displayed. The user is considered valid until either the session times out or the browser is closed.
Does HttpUnit have to log into the app every time I run a test? How does it manage subsequent pages after login?I don't think that's true. HttpUnit is 100% Java and based on JUnit. HttpUnit has nothing to do with Apache, AFAIK. HttpUnit is for unit testing servlets and JSPs. Apache is a Web server. It doesn't have a servlet/JSP engine, unless you bolt Tomcat on top of it.
Perhaps we're talking about two different packages. - % -
Window for Form-Based Authentication in web.xml for JAZN.
Whether probably to make so that the form-authorization in Form-Based Authentication in web.xml for JAZN opened in a separate window?
Thanks,
Alexandrethis is what i have so far...in my web.xml deployment descriptor
am using Jbuilder 6 with tomcat.....if i run it from IDE, will the featuresi have added to the web.xml file...eg Error page be used ...or only when i deplo the app ???
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<display-name>Java Pet Store</display-name>
<description>Web Application for Reseach</description>
<session-config>
<session-timeout>54</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>Default.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>500</error-code>
<location>/</location>
</error-page>
<taglib>
<taglib-uri>PetStoreTagLib</taglib-uri>
<taglib-location>/WEB-INF/PetStoreTagLib.tld</taglib-location>
</taglib>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<url-pattern>Checkout.jsp</url-pattern>
<url-pattern>OrderList.jsp</url-pattern>
<url-pattern>OrderDetails.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>LoggedInUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/ErrorPage.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Logged In User</description>
<role-name>LoggedInUser</role-name>
</security-role>
</web-app>
in setting up the tomcat-users.xml file am i to add table to my database, to relate the user to the role....... -
How to redirect to j_security_check without the form based authentication
Hi,
I am trying to integrate my application authentication to a backend system with the ibm websphere form based authentication. Below is the scenario:
1. when the user clicks on a protected url, the container will redirect the user to the login page.
2. instead of displaying the login page, i would like to automatically redirect the user to j_security_check action. which means that instead of displaying the login.jsp page, the user will automatically be redirected to j_security_check to perform some user authentication, and if successful, the application pages will be displayed.
The reason i want to auto redirect the user to j_security_check is because i am implementing some integration work with a backend system. the user will key in the username/password from another system. once the user is authenticated, the user information will be passed to my system. The login page of my system will not be displayed again, and by using the username value, my system will assume that the user has successfully been authenticated (authentication done by the backend system), and therefore automatically gain authorization to login into my application.
i hope that clarifies my problem.
anyone out there has any solution to my problem?
thanks a lot in advance.Hi Darren,
Let me explain the whole authentication environment.
There are actually 2 systems in this environment. Let;s call it system A and system B.
System B is actually using the authentication mechanism that i described in my previous message.
A login page will be presented to the user (within system A). User credential is collected and passed to system A to be authenticated. System A will use its own mechanism to authenticate the user.
Once the user is authenticated, system A will pass the user ID to system B. At this point, system B will assume that the user is authenticated and grant authorization to access the application. (system B global security is enabled and implements the form based authentication mechanism) Therefore, at this point, the redirect page (so called login page) will not be displayed to the user, instead it will be automatically redirected to the j_security_check action to execute the customer Ldap Registry class. (ps : eventhough authentication is no longer needed, the flow will still go to Ldap Registry class. A check is done in the Ldap Registry class to skip the authentication, if it is not boot strap login. Only first and only time authentication is done for boot strap login).
In the case a protected url is clicked or invoked by the user directly, the application will redirect the user to the initial login of system A. Otherwise (the url link originates from system A, during the passing of user token to system B), system B will redirect to j_security_check and execute the customer Ldap Registry class.
Based on the above explained scenario, in your opinion, is there any security loopholes? consider that system B no longer perform authentication but only to grant authorization to the user.
Appreciate your advice. Thanks in advance
Anyway, i am using the ibm websphere server. :) -
Faces context not found (Form based authentication)
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/jsp/WorkingZone.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/Login/login.jsp</form-login-page>
<form-error-page>/Login/error.jsp</form-error-page>
</form-login-config>
</login-config>
when i tried to login with valid user the the url shows
http://localhost:8080/FormAuth/jsp/WorkingZone.jsp
how to append faces context automatically.
I am not finding for this faces context.
Plz suggest me a solution soon.
Thanks
Raghavendra PattarThe FacesContext is created by FacesServlet which is
definied in the web.xml with an url-pattern.
If you just follow the url-pattern of this
FacesServlet, usually /faces/ or *.faces, or *.jsf,
then the FacesContext will be created.Hi balu,
this is the web.xml that i am using
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>javax.faces.CONFIG_FILES</param-name>
<param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.validateXml</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.verifyObjects</param-name>
<param-value>false</param-value>
</context-param>
<filter>
<filter-name>UploadFilter</filter-name>
<filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
<init-param>
<description>
The maximum allowed upload size in bytes. If this is set
to a negative value, there is no maximum. The default
value is 1000000.
</description>
<param-name>maxSize</param-name>
<param-value>1000000</param-value>
</init-param>
<init-param>
<description>
The size (in bytes) of an uploaded file which, if it is
exceeded, will cause the file to be written directly to
disk instead of stored in memory. Files smaller than or
equal to this size will be stored in memory. The default
value is 4096.
</description>
<param-name>sizeThreshold</param-name>
<param-value>4096</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UploadFilter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ThemeServlet</servlet-name>
<servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ThemeServlet</servlet-name>
<url-pattern>/theme/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file></welcome-file>
</welcome-file-list>
<jsp-config>
<jsp-property-group>
<url-pattern>*.jspf</url-pattern>
<is-xml>true</is-xml>
</jsp-property-group>
</jsp-config>
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Default a login configuration that uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/Login/login.jsp</form-login-page>
<form-error-page>/Login/error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Define a logical role for this application, needs to be mapped to an actual role at deployment time -->
<security-role>
<role-name>manager</role-name>
</security-role>
</web-app>1)My requirement is Login page should be the first page
If enter the valid user and password
then i will get directory structure
when i click the secured JSF page inside secure
i got this URL
http://localhost/secure/WorkingZone.jsp
obiviously /faces is missing
and i am getting faces context not found.
If u need further clarification i will send u..
Plz reply me... -
Hi
I configured forms based authentication mode in Sharepoint 2013 site. When i tried to log in with windows authentication prompt it throws the following error
The remote server returned an error: (500) Internal Server Error
[WebException: The remote server returned an error: (500) Internal Server Error.] System.Net.HttpWebRequest.GetResponse() +8548300 System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +111 [ProtocolException:
The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first
1024 bytes of the response were: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
How to fix this issue?
Regards,
SivaDid you create a new web application or modify an existing web application?
I would start by checking the ULS logs, maybe there is an incorrect setting within one of the web.config files, or SQL permissions.
Also, as suggested above, check application pools are running.
This blog post is a great guide for setting up FBA, check it through to make sure you haven't missed any steps:
http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx -
Problem in form based authentication
Hi,
I am encountering some problem in form based authentication.
When I try to login for the first time. It reoute me to the image
directory and not to the request page.
When I try it for the second time, it shows
"Form based authentication failed. Could not find session."
And it always show this message no matter how many time I try.
I am not sure is it something that I did not set ...
Thanks for any advice.
EricHi Eric,
It may be a problem in your web.xml, I missed the "/" slash character
in the web.xml's in <form-login-page> element. So your web.xml
must look like -
Form based authentication -- control URGENT PLS.
I am following Form based authentication. I have a login page. I have specified the security constraints in the web.xml.
I would like to know after the execution of login where will the controller go to?? will it go the controller servlet, followed by an action class??
For any typical event (such as create customer)---the following has been the flow:
controller servlet--> createAction-->createUserBD (business delegate) --> customerManagerEJB --> customerDAO;
Now in case of login..
After the execution of login (authentication is by form based authentication ) where will the controll go to?
My requirement is to store the logged in userID details in Stateful Session bean. how will the flow look like?If the access is through a web invocation, control will go to whichever portion of the web app triggered
the security constraint. The ejb has no knowledge of the authentication. If you want to provide the
login details to the ejb you'll have to explicitly pass them from the web tier.
--ken -
Updating password for Form Based authentication database using code
Hi,
We have created FBA(Form Based authentication) for SP2010. We are storing all the usernames and Passwords in FBA database. If any user changes their password needs to be save in FBA Database with latest password.
can any one suggest me how to do this one.....
Thanks....https://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.changepassword(v=vs.110).aspx
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs -
Session expired message in form based authentication
Hi, i m using JAAS form based authentication on jboss for our application and we want session expired message to show in the login form when it loads for authentication after session expired.
do any one have any idea how to achive this as the application will never be able to detect that the session expired as it will always have a valid session available becoz ,When an HTTP session expires and the client makes a request to any secured resource, the JAAS subject will not be found for authorization. At this point, the security framework creates a new HTTP session, stores the target URL value in the session, and then redirects the user to the login page. After a successful login process, the user is forwarded back to the target page,
but our Web applications may need to capture these session expiration events and show some custom message to the user.
HTTP session listener doesn't work here as HTTP session listener does not allow you to create a new session.
Thanks in advanceObSSOCookie does have session time data. Access Manager SDK can parse the cookie and can access it's own settings for max and idle session time.
Trick is, once the user is logged out, the cookie is destroyed. I suspect there is no real practical way to do this.
I have pondered the idea that you could use AJAX to communicate with a service that uses the SDK to return data about current session state - "You have 40 seconds left to get your form filled out, buddy! 39, 38, 37..."
Oh to have that much free time... ;)
Mark -
Form Based Authentication without login page
Hi,
i need to use form based authentication in a web page, but without a dedicated login page. So basicly every page will contain a login form in the upper right corner, so the user can login anytime in his browsing session directly from the page he's reading.
I am aware of that the form based authentication config needs a login and a error page.
I need some hints on how this could be implemented so that i dont need them directly. Im quite sure this is possible, if any of you has ideas please share them with me.
dukes are waiting ...sorry - double posted : http://forum.java.sun.com/thread.jspa?threadID=584579&tstart=0
-
Form based authentication in JSF
Hi,
I am using form based authentication in JSF .
I am not able to display the JSF page.
I have this security constraint in my web.xml
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/jsp/WorkingZone.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/Login/login.jsp</form-login-page>
<form-error-page>/Login/error.jsp</form-error-page>
</form-login-config>
</login-config>
WorkingZone.jsp is a jsp page with JSF components.Which can only be invoked with faces context.
I am using JDBCRealm
For the valid user I am getting this error------>
HTTP Status 400 - Invalid direct reference to form login page
type Status report
message Invalid direct reference to form login page
description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
Please give me the solution.How can I access my jsf page.Thank you.
Marcos
Hi,
It should help you:
http://searchsoftwarequality.techtarget.com/searchAppS
ecurity/downloads/JSF_ch15.pdf
Message was edited by:
syllepsa -
Form based authentication getting logged in username and role
Hi
I have implemented a simple Form based authentication in my web site.
I have maintained tomcat-users.xml file for user names, passwords and roles.
Once my user is authenticated, I need to access his name and role in website.
How can this be done.
Please guide.
ThanksThe request object should contain the information, e.g. use request.getRemoteUser().
-
Form based authentication: handle authentication failure
Dear all,
in form based authentication, if authentication fails, i want to get the failure reason, e.g.
there maybe network error, db down or password/username mismatch...etc..
i want to get the reason for the failure.
in the web.xml..i specify as <form-error-page>/errorServlet</form-error-page>
but i can't get the exception in the error page (jsp) (through the exception implicit object) or in the error servlet.
(in the server log..there is a log message showing the exception...e.g. error in binding to ldap server using username/password..etc)
my question is : how can i get the exception in my error page / servlet so as to show user some meaningful message??
thank you.
lspDo you have the <login-error-page> assigned to a different page than your <error-page> handling error codes and exceptions? I would have thought an error in the j_security_check would go to the <error-page> while only login errors would go to <login-error-page>. This way, you would know the reason you got to any given page (ie - login-error-page only means name/password mismatch, while network errors, db problems, etc go to the Exception handling error page).
It is hard for me to test this here, but perhaps you could test it your self by forcing an exception to occur (like shutting down the DB before the login occurs).
-- I did get around to testing this. At least on Tomcat 6, any exception that occurs in the j_security_check appears to end up in the same error page as incorrect credentials. I also couldn't find any hidden page or request attributes that might hint at the cause... Sorry.
Edited by: stevejluke on Jul 28, 2008 6:25 PM -
Form based authentication -- controller --- URGENT PLS.
I am following Form based authentication. I have a login page. I have specified the security constraints in the web.xml.
I would like to know after the execution of login where will the controller go to?? will it go the controller servlet, followed by an action class??
For any typical event (such as create customer)---the following has been the flow:
controller servlet--> createAction-->createUserBD (business delegate) --> customerManagerEJB --> customerDAO;
Now in case of login..
After the execution of login (authentication is by form based authentication ) where will the controll go to?
My requirement is to store the logged in userID details in Stateful Session bean. how will the flow look like?where will the controller go to?? wherever you program it to go to?
Maybe you are looking for
-
How to add an adobe bridge photo galley to flash cs5 website?
Hello everybody. I am creating a website for an tourist walking site in Lisbon. I have a page with pictures which I made to buttons and now I want to make them to go after clicking to an adobe bridge photo gallery. I tried allready some codesnippers
-
When I click the start button there are a number of applications I should be able to click on and go into. Lately a box pops up and reads...Application Not Found. I have not had this problem before. I can not pull up PPT., Word or any applications. E
-
HT201302 Transferring large video file from Iphone
My video file is extremely large and won't transfer by click and drag to hard drive. I have tried every way possible. Any suggestions?
-
Dear Experts, I have downloaded data services blue prints availalbe in the SAP network and i imported the ATL file successfully. I have reconfigured my target datastore. When i try to execute the Job_DqBatchUSA_AddressCleanseob , I'm getting the fo
-
When there is a Smart Shape with both a stroke and a fill, plus a drop shadow, the drop shadow looks like it only applies to the stroke. I have several such objects with fairly thick 3 or 4 pt stroke. The drop shadow should be behind both the stroke