• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

WAS Form based login

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We are currently developing a application where we have to secure all the web resources (like html, jsps). We use our domain name as Domain http://www.mydomain.com.
Our environment is
Application Server - WebSphere Application Server 4.01
Web Server - IBMHTTP Server 1.3
Operation System - Sun Solaris 2.8
I have set up a sample application which has page1.html, page2.html, error.html, login.jsp.
The login.jsp is using the J2EE Standard login form with action as "j_security_check".
We are using the LTPA Custom User Registry with Form Based Authentication. While working with
the example given in the IBM WebSphere V4.0 which uses FileRegistrySample.java implementing
the CustomRegistry interface, we are experiencing problems with form-based authentication. But the HTTP Basic authentication works for the same set of files.
Scenario 1(enter correct password - fails)
When I try to access the www.mydomain.com/test/page1.html, it is properly going to login.jsp (as defined in web.xml as the form-login-page). If I enter correct username/password, my browser is redirected to login.jsp instead of page1.html.
Scenario 2(enter wrong password)
When I try to access the www.mydomain.com/test/page1.html, it is properly going to
login.jsp. If I enter wrong user name it is properly redirecting to error.html as defined
in web.xml.
Would appreciate it very much if you could help shed some light on the problem we are facing. Below are the security settings in Websphere and the web.xml file.
Our Security Setting in the Admin console is:
Under General Tab:
Checked the "Enable Security"
Under Authentication Tab:
in LTPA Settings
Token Expiration 120 minutes
Enabled SSO
Domain http://www.mydomain.com
our web.xml entries are



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

<web-app id="WebApp_ID">

<security-constraint id="SecurityConstraint_1">

<web-resource-collection id="WebResourceCollection_1">

<web-resource-name>test</web-resource-name>

<url-pattern>/test1.html</url-pattern>

<url-pattern>/test2.html</url-pattern>

<url-pattern>/page1.html</url-pattern>

<url-pattern>/page2.html</url-pattern>

<url-pattern>/test.jsp</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint id="AuthConstraint_1">

<description>All role :+:</description>

<role-name>Administrator</role-name>

<role-name>Users</role-name>

<role-name>Operators</role-name>

</auth-constraint>

<user-data-constraint id="UserDataConstraint_1">

<transport-guarantee>NONE</transport-guarantee>

</user-data-constraint>

</security-constraint>

<login-config id="LoginConfig_1">

<auth-method>FORM</auth-method>

<realm-name>TestApp</realm-name>

<form-login-config id="FormLoginConfig_1">

<form-login-page>/login.jsp</form-login-page>

<form-error-page>/error.html</form-error-page>

</form-login-config>

</login-config>

<security-role id="SecurityRole_3">

<description>Operator</description>

<role-name>Administrator</role-name>

</security-role>

<security-role id="SecurityRole_4">

<description>Users</description>

<role-name>Users</role-name>

</security-role>

<security-role id="SecurityRole_1">

<description>Operators</description>

<role-name>Operators</role-name>

</security-role>

</web-app>
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The first pointer I'd give is that after 2 or more weeks of trying and playing, we could only get Form based authentication to work on 4.0.3
We haven't tried it on 4.0.5 yet, but 1, 2 and 4 just don't work.
We were running Win NT, WS 4.05, SecureWay (dunno the version)
Another thing to be wary of is the LTPAtoken timeout. It is an absolute value per domain. ie if you set it to 15 minutes, the LTPAtoken will expire every 15 minutes on the minute regardless of user activity. If you set the session timout to a value less than the LTPA timeout, it will hand out a new session without informing you as long as the LTPAtoken is still valid. This is very annoying behaviour.
We're looking at work arounds, but so far we've been blocked at every turn.
Dave
 
Hari RamKrish
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
David,
We changed our environment to
Application Server - WebSphere Application Server 4.03
Web Server - IBMHTTP Server 1.3
Operation System - Windows 2000
I have set up a sample application which has page1.html, page2.html, error.html, login.jsp.
The login.jsp is using the J2EE Standard login form with action as "j_security_check".
We are using the LTPA Custom User Registry with Form Based Authentication. While working with
the example given in the IBM WebSphere which uses FileRegistrySample.java implementing
the CustomRegistry interface, and still we are experiencing the same problem. Our web.xml
remains the same as given in my first posting.
Could you please let me know how you managed to get this working in
WebSphere Application Server 4.03.
 
reply
    Bookmark Topic Watch Topic
  • New Topic