We are currently developing a application where we have to secure all the web resources (like html, jsps). We use our domain name as Domain
http://www.mydomain.com. Our environment is
Application Server - WebSphere Application Server 4.01
Web Server - IBMHTTP Server 1.3
Operation System - Sun Solaris 2.8
I have set up a sample application which has page1.html, page2.html, error.html, login.jsp.
The login.jsp is using the
J2EE Standard login form with action as "j_security_check".
We are using the LTPA Custom User Registry with Form Based Authentication. While working with
the example given in the IBM WebSphere V4.0 which uses FileRegistrySample.java implementing
the CustomRegistry interface, we are experiencing problems with form-based authentication. But the HTTP Basic authentication works for the same set of files.
Scenario 1(enter correct password - fails)
When I try to access the
www.mydomain.com/test/page1.html, it is properly going to login.jsp (as defined in web.xml as the form-login-page). If I enter correct username/password, my browser is redirected to login.jsp instead of page1.html.
Scenario 2(enter wrong password)
When I try to access the
www.mydomain.com/test/page1.html, it is properly going to
login.jsp. If I enter wrong user name it is properly redirecting to error.html as defined
in web.xml.
Would appreciate it very much if you could help shed some light on the problem we are facing. Below are the security settings in Websphere and the web.xml file.
Our Security Setting in the Admin console is:
Under General Tab:
Checked the "Enable Security"
Under Authentication Tab:
in LTPA Settings
Token Expiration 120 minutes
Enabled SSO
Domain
http://www.mydomain.com our web.xml entries are
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app id="WebApp_ID">
<security-constraint id="SecurityConstraint_1">
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name>test</web-resource-name>
<url-pattern>/test1.html</url-pattern>
<url-pattern>/test2.html</url-pattern>
<url-pattern>/page1.html</url-pattern>
<url-pattern>/page2.html</url-pattern>
<url-pattern>/test.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>All role :+:</description>
<role-name>Administrator</role-name>
<role-name>Users</role-name>
<role-name>Operators</role-name>
</auth-constraint>
<user-data-constraint id="UserDataConstraint_1">
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config id="LoginConfig_1">
<auth-method>FORM</auth-method>
<realm-name>TestApp</realm-name>
<form-login-config id="FormLoginConfig_1">
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role id="SecurityRole_3">
<description>Operator</description>
<role-name>Administrator</role-name>
</security-role>
<security-role id="SecurityRole_4">
<description>Users</description>
<role-name>Users</role-name>
</security-role>
<security-role id="SecurityRole_1">
<description>Operators</description>
<role-name>Operators</role-name>
</security-role>
</web-app>