I am trying to set up Form-Based Authentication on WebLogic8.1 The Problem: If the user provides correct userid/password, he gets access to the protected resource as required, but if he provides incorrect userid/password, he gets a 403 Forbidden page, instead of getting the login failure page. The Descriptors: WEB.XML ___________________________________________________________________________ <web-app> <welcome-file-list> <welcome-file>/protected/index.jsp</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>My secure resources</web-resource-name> <description>Resources to be placed under security control.</description> <url-pattern>/protected/index.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>guest</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/LoginError.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>The role allowed to access our content</description> <role-name>guest</role-name> </security-role> WEBLOGIC.XML ___________________________________________________________________________ <security-role-assignment> <role-name>guest</role-name> <principal-name>MyUser</principal-name> </security-role-assignment> ___________________________________________________________________________ What am I missing here? Why doesnt it redirect to /LoginError.jsp instead of showing the 403 Forbidden page?
Has any one got a solution for this. I am using weblogic 8.1 sp2 and the strange thing is, it works fine in Firefox but get a 403 forbidden error on IE instead of login error page. Checked dev2dev and they suggest adding <form action="j_security_check"> error message </form> to the loginError page too, but this did not work for me.
I am also working on Bea weblogic. Can anybody tell me how do the login page check that user id and password is correct. Do we have to write a code where it accepts user id and password and check that with database and then forward it to approriate page. Please do tell me how we can do this. And what have to defined in web.xml related to security. If I am wrong correct me.
Originally posted by Vijay Oruganty: Has any one got a solution for this. I am using weblogic 8.1 sp2 and the strange thing is, it works fine in Firefox but get a 403 forbidden error on IE instead of login error page. Checked dev2dev and they suggest adding <form action="j_security_check"> error message </form> to the loginError page too, but this did not work for me.
Any help with this is appreciated.
Thank you for your comment on the different behaviour under FireFox and IE. I just had the same problem, and now realized what was wrong. I don't know what is written in the HTTP spec, but I do know what happens in the background.
WebLogic returns the error page, but sets HTTP Status code to 403. Firefox displays the page sent, but IE just shows it's standard @#$@%message...
Can some one tell how we are authenticating the User Name and Password.
I mean to say if i am giving a user name and password then from where i am doing the validation for the username and password.
There must be some list of User Names some where?
Shubham Vishi wrote:Can you please tell me the whole process to do the Form Based Authentication in weblogic. end to end
Well... thats what the documentation is for
A zombie post is an old post where the original author is probably not interested in the answer to the question anymore.
As for the form login setup, the WL docs has a separate section dedicated to it. Go through it and posts back here if you get stuck
Joined: Oct 28, 2009
I have successfully implemented the Login functionality but there is another issue i am facing.
My functionality says that if the user Logs in there will be default page that should be shown, lets suppose 'loggedin.jsp'
Now in the action of Login.jsp i have specified j_security_check, so where should i specify 'loggedin.jsp' as the default page after login.
This topic may be very old, but it's not as old as the idea that there is no use in responding to threads that were started ages ago. Who cares whether the person who started the thread is still interested? The fact you got here proves that the information / questions in here are still current. Also, this thread scores high in search engines and it's questions remain unanswered, so if someone comes up with an answer, please post it.
That said, let's get back ontopic. You guys are saying that Firefox shows you the correct error page, but IE does not? That to me signals this:
This article is a bit old but I think it's still current for IE 7 & 8 as well. The key here is that IE will automagically replace server error pages with it's own 'friendly' error page if the server error page is smaller than a certain size:
"Several frequently-seen status codes have "friendly" error messages that Internet Explorer 5.x displays and that effectively mask the actual text message that the server sends. However, these "friendly" error messages are only displayed if the response that is sent to the client is less than or equal to a specified threshold. For example, to see the exact text of an HTTP 500 response, the content length must be greater than 512 bytes."
Since you are saying that Firefox displays your error page OK, I think this may be what is happening. Try adding some extra padding text to your error page and see if that helps. You can also consider setting up a proxy that intercepts the data sent between your browser and the website to figure out what actually is sent to the browser. One example is Fiddler, but there are more.
Good luck with it!
(edit: Shorter link to MS kb article, because site cut off the most relevant part of it)