• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Error 403--Forbidden

 
Ranch Hand
Posts: 36
3
Eclipse IDE Redhat Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I am using JSF 2.2, MySql, and Weblogic 12C. I am trying to implement security and authentication in my application using a JDBC realm.
I have seen several tutorials and documentations, I have tried several things but I still don't know why when I am in the login page and I write the username and password I always get the error page.
Also If I try to navigate the one of the protected pages I always get the page:
Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.



This is my login page:



This is my web.xml file:



This is my persistence.xml file:


This is my weblogic.xml file



I attached 2 images, one from my data source in Weblogic and one from my security realm in Weblogic. I know my data source is working because before I tried to implement security, I was able to save data and load data in the application.
I will appreciate any help. I have been stuck in this issue for several days.

Weblogic_data_source.png
[Thumbnail for Weblogic_data_source.png]
Weblogic_security_realm.png
[Thumbnail for Weblogic_security_realm.png]
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, I don't see anything obvious, but here's the rules, so maybe that will help.

First, just in case you were doing this (and a lot of people do), the login page cannot be directly requested by a client URL request. That is, a URL in the form https://www.myserver.com:8080/mywebapp/login.jsf would not process properly. That's because the login is managed automatically by the server when a URL requiring authorization is requested. The automatic request sidetracks the original request, sets up the login environment, and presents the login/loginfail pages. Once login has succeeded, the sidetracked request is resubmitted internally, so that the application never actually sees the login happen. If you request the login page explicitly, the login environment will not have been set, so the login attempt will fail.

Secondly, the JSF container security gatekeeper is tied to the incoming URL, and not to the resource being requested. That's especially important to know in the case of JSF, where the URL often lags the resource - a form that navigates to "newpage.jsf" may actually contain the URL "oldpage.jsf". Use the JSF "redirect" navigation option to avoid this problem.

Just to reinforce that last item, since the security manager is looking at the URL, whenever you get a "403" response, check your request URL against the patterns that you defined in web.xml.

Also be careful what resources you put on a login page. Any items on that page that make secondary URL requests (images, javascript, CSS, etc.) are still subject to the pre-login security environment and can themselves trigger a "403" if an unauthenticated user is forbidden access. My login pages are very stark. I consider everything not directly related to login to be a potential security exploit, so I minimize them. That's especially true for Javascript and JSF embellishments.

 
Fernando Guerrero
Ranch Hand
Posts: 36
3
Eclipse IDE Redhat Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your tips.
When I run the application it goes to my home page home.xhtml. This is just a welcome page, not the login page.  My login page is called index.html (I know I didn't choose the best names to describe the pages, but I am just trying to understand how the security works)

[code=java
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
     xmlns:h="http://xmlns.jcp.org/jsf/html"
     xmlns:jsf="http://xmlns.jcp.org/jsf"
     xmlns:f="http://xmlns.jcp.org/jsf/core"
     xmlns:pt="http://xmlns.jcp.org/jsf/passthrough"
     xmlns:p="http://primefaces.org/ui">
   <head jsf:id="head">
       
   </head>
   <h:body>
 
      <p:outputLabel value="Home page for all the users" />
      <p:link value="Register student" outcome="/student/registerstudent" />
     
   </h:body>
</html>
][/code]

This page has a simple link to the registerstudent.xhtml. The registerstudent page is a private page, the user should login and authenticate in order to see it. But when I do click on the link I get the Error 403.


You can see this attached image that shows my project pages tree

Project_pages_tree.png
[Thumbnail for Project_pages_tree.png]
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What does the part of your web.xml that matches the pattern "/student/registerstudent" look like?
 
Fernando Guerrero
Ranch Hand
Posts: 36
3
Eclipse IDE Redhat Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is the part of my web.xmls that matches the he pattern "/student/registerstudent"

 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. Do you also have a login-config and an security-role section?

2. Is /myecats a path within the WAR, or is it the context path that the WAR is deployed under? The web.xml file patterns do not include the context path part of the URL - all resources are defined from the root of the WAR.
 
Fernando Guerrero
Ranch Hand
Posts: 36
3
Eclipse IDE Redhat Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes , I do have a login-config and security-role section in my web.xml
This is my login-config:


This is my security-role section:


Regarding your question if my /myecats is a path within the WAR, or if it is the context path that the WAR is deployed under. The answer is, it is my context path. I think the problem I have could be related with this.
I found another post in this forum that helped me to understand the context path  and URL pattern a little better. https://coderanch.com/t/635876/java/faces-URL-Pattern

Following your tips I did some modifications. In my home page I had a  <p:link value="Register student" outcome="/student/registerstudent" />
I changed the link to <p:link value="Register student" outcome="/student/registerstudent?faces-redirect=true" />

Also In my web.xml in my security constrain, I used to have <url-pattern>/myecats/student/*</url-pattern>
Now I have <url-pattern>/student/*</url-pattern>

When I click the link in my home page to go to the restricted page registerstudent, I still don't get the login page, but I don't get the Error 403. Now I get the Error 404.
 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think that this has a lot to do with it:


Usually, you'd define this as something like this:


The first definition would route URLs whose WAR-relative name was "/myecats/..." to the Faces Servlet for processing. The second one routes URLs whose extension ends with ".jsf" for the Faces Servlet.

Using the first definition would require that if you deploy the WAR under /myecats, then a JSF-directed URL would need to be resolveable to the canonical URL "http://www.myserver.com/myecats/myecats/registerstudent", where the first "/myecats" is the context name used to route the URL to that particular webapp and the second "/myecats" would be the logical URL path itself. And the corresponding View Template resource path would probably be "/myecats/registerstudent.xhtml". although since I don't use this URL form for JSF, I'm not totally certain.

Using the second definition I gave, the canonical URL would be "http://www.myserver.com/myecats/registerstudent.jsf" and the View Template resource path would be "/registerstudent.xhtml".
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic