Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

WebLogic Form Based Authentication

 
Peter Smith
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to set up Form-Based Authentication on WebLogic8.1
The Problem:
If the user provides correct userid/password, he gets access to the protected resource as required, but if he provides incorrect userid/password, he gets a 403 Forbidden page, instead of getting the login failure page.
The Descriptors:
WEB.XML
___________________________________________________________________________
<web-app>
<welcome-file-list>
<welcome-file>/protected/index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>My secure resources</web-resource-name>
<description>Resources to be placed under security control.</description>
<url-pattern>/protected/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>guest</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>The role allowed to access our content</description>
<role-name>guest</role-name>
</security-role>
WEBLOGIC.XML
___________________________________________________________________________
<security-role-assignment>
<role-name>guest</role-name>
<principal-name>MyUser</principal-name>
</security-role-assignment>
___________________________________________________________________________
What am I missing here? Why doesnt it redirect to /LoginError.jsp instead of showing the 403 Forbidden page?
 
Jerome Caron
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I got the same problem...
Is it a Weblogic 8.1 sp3 bug?
 
sharon Developer
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes. I got the same error and it draw me crazy for couple of days. Anybody got any answer for this now?

Thanks,
Sharon
 
Vijay Oruganty
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Has any one got a solution for this. I am using weblogic 8.1 sp2 and the strange thing is, it works fine in Firefox but get a 403 forbidden error on IE instead of login error page.
Checked dev2dev and they suggest adding <form action="j_security_check"> error message </form> to the loginError page too, but this did not work for me.

Any help with this is appreciated.


Thanks
Vijay.
 
Surya Vamshi
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am also working on Bea weblogic. Can anybody tell me how do the login page check that user id and password is correct. Do we have to write a code where it accepts user id and password and check that with database and then forward it to approriate page. Please do tell me how we can do this. And what have to defined in web.xml related to security. If I am wrong correct me.

Thanks
 
Vajk Hermecz
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Vijay Oruganty:
Has any one got a solution for this. I am using weblogic 8.1 sp2 and the strange thing is, it works fine in Firefox but get a 403 forbidden error on IE instead of login error page.
Checked dev2dev and they suggest adding <form action="j_security_check"> error message </form> to the loginError page too, but this did not work for me.

Any help with this is appreciated.


Thanks
Vijay.


Thank you for your comment on the different behaviour under FireFox and IE. I just had the same problem, and now realized what was wrong.
I don't know what is written in the HTTP spec, but I do know what happens in the background.

WebLogic returns the error page, but sets HTTP Status code to 403.
Firefox displays the page sent, but IE just shows it's standard @#$@%message...
 
Jignesh Patel
Ranch Hand
Posts: 626
Mac
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
May be all like to add following code in weblogic.xml
<container-descriptor>
<check-auth-on-forward/>
</container-descriptor>
 
Jerry Tom
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I came across this problem recently too. Then I came to know that, if it is the weblogic trail version, only 5 logins are allowed at a given time and other users will get the 403 forbidden error.
 
Masrizal. Com
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I just encounter the same thing on Weblogic 8.1.6. It seems like IE replace the page with the standard error if the login-error page is less than 1K. Make it bigger and you should see your own page.

www.masrizal.com
 
Shubham Vishi
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can some one tell how we are authenticating the User Name and Password.
I mean to say if i am giving a user name and password then from where i am doing the validation for the username and password.
There must be some list of User Names some where?
 
Deepak Bala
Bartender
Posts: 6663
5
Firefox Browser Linux MyEclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The list comes from a file or database or LDAP or where ever you choose. You can configure the same based on the container.

By the way this is a zombie post. Its very old.
 
Shubham Vishi
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you please tell me the whole process to do the Form Based Authentication in weblogic. end to end

and whats meant by zombie?
 
Deepak Bala
Bartender
Posts: 6663
5
Firefox Browser Linux MyEclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Shubham Vishi wrote:Can you please tell me the whole process to do the Form Based Authentication in weblogic. end to end


Well... thats what the documentation is for

A zombie post is an old post where the original author is probably not interested in the answer to the question anymore.

As for the form login setup, the WL docs has a separate section dedicated to it. Go through it and posts back here if you get stuck
 
Shubham Vishi
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have successfully implemented the Login functionality but there is another issue i am facing.

My functionality says that if the user Logs in there will be default page that should be shown, lets suppose 'loggedin.jsp'
Now in the action of Login.jsp i have specified j_security_check, so where should i specify 'loggedin.jsp' as the default page after login.

Also how to implement logout in weblogic?
 
dany yacoub
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi i know this is very old, but i'd like to revive it because i actually have the same problem,
did someone find a solution to this problem

when authenticating from a user in a wrong role the error page defined in <form-error-page> is wrong

thank you
 
Stijn de Witt
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This topic may be very old, but it's not as old as the idea that there is no use in responding to threads that were started ages ago. Who cares whether the person who started the thread is still interested? The fact you got here proves that the information / questions in here are still current. Also, this thread scores high in search engines and it's questions remain unanswered, so if someone comes up with an answer, please post it.

That said, let's get back ontopic. You guys are saying that Firefox shows you the correct error page, but IE does not? That to me signals this:

HOW TO: Turn Off IE 5.x and 6.x "Show Friendly HTTP Error Messages"

This article is a bit old but I think it's still current for IE 7 & 8 as well. The key here is that IE will automagically replace server error pages with it's own 'friendly' error page if the server error page is smaller than a certain size:

"Several frequently-seen status codes have "friendly" error messages that Internet Explorer 5.x displays and that effectively mask the actual text message that the server sends. However, these "friendly" error messages are only displayed if the response that is sent to the client is less than or equal to a specified threshold. For example, to see the exact text of an HTTP 500 response, the content length must be greater than 512 bytes."

Since you are saying that Firefox displays your error page OK, I think this may be what is happening. Try adding some extra padding text to your error page and see if that helps. You can also consider setting up a proxy that intercepts the data sent between your browser and the website to figure out what actually is sent to the browser. One example is Fiddler, but there are more.

Good luck with it!

-Stijn

(edit: Shorter link to MS kb article, because site cut off the most relevant part of it)
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic