aspose file tools*
The moose likes Security and the fly likes WebLogic Form Based Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "WebLogic Form Based Authentication" Watch "WebLogic Form Based Authentication" New topic
Author

WebLogic Form Based Authentication

Peter Smith
Greenhorn

Joined: Feb 03, 2004
Posts: 5
I am trying to set up Form-Based Authentication on WebLogic8.1
The Problem:
If the user provides correct userid/password, he gets access to the protected resource as required, but if he provides incorrect userid/password, he gets a 403 Forbidden page, instead of getting the login failure page.
The Descriptors:
WEB.XML
___________________________________________________________________________
<web-app>
<welcome-file-list>
<welcome-file>/protected/index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>My secure resources</web-resource-name>
<description>Resources to be placed under security control.</description>
<url-pattern>/protected/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>guest</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>The role allowed to access our content</description>
<role-name>guest</role-name>
</security-role>
WEBLOGIC.XML
___________________________________________________________________________
<security-role-assignment>
<role-name>guest</role-name>
<principal-name>MyUser</principal-name>
</security-role-assignment>
___________________________________________________________________________
What am I missing here? Why doesnt it redirect to /LoginError.jsp instead of showing the 403 Forbidden page?
Jerome Caron
Greenhorn

Joined: Nov 12, 2004
Posts: 1
I got the same problem...
Is it a Weblogic 8.1 sp3 bug?
sharon Developer
Greenhorn

Joined: Jul 14, 2005
Posts: 3
Yes. I got the same error and it draw me crazy for couple of days. Anybody got any answer for this now?

Thanks,
Sharon
Vijay Oruganty
Greenhorn

Joined: Sep 08, 2005
Posts: 3
Has any one got a solution for this. I am using weblogic 8.1 sp2 and the strange thing is, it works fine in Firefox but get a 403 forbidden error on IE instead of login error page.
Checked dev2dev and they suggest adding <form action="j_security_check"> error message </form> to the loginError page too, but this did not work for me.

Any help with this is appreciated.


Thanks
Vijay.
Surya Vamshi
Greenhorn

Joined: Aug 25, 2005
Posts: 9
Hi,

I am also working on Bea weblogic. Can anybody tell me how do the login page check that user id and password is correct. Do we have to write a code where it accepts user id and password and check that with database and then forward it to approriate page. Please do tell me how we can do this. And what have to defined in web.xml related to security. If I am wrong correct me.

Thanks
Vajk Hermecz
Greenhorn

Joined: Nov 28, 2005
Posts: 1
Originally posted by Vijay Oruganty:
Has any one got a solution for this. I am using weblogic 8.1 sp2 and the strange thing is, it works fine in Firefox but get a 403 forbidden error on IE instead of login error page.
Checked dev2dev and they suggest adding <form action="j_security_check"> error message </form> to the loginError page too, but this did not work for me.

Any help with this is appreciated.


Thanks
Vijay.


Thank you for your comment on the different behaviour under FireFox and IE. I just had the same problem, and now realized what was wrong.
I don't know what is written in the HTTP spec, but I do know what happens in the background.

WebLogic returns the error page, but sets HTTP Status code to 403.
Firefox displays the page sent, but IE just shows it's standard @#$@%message...
Jignesh Patel
Ranch Hand

Joined: Nov 03, 2001
Posts: 626

May be all like to add following code in weblogic.xml
<container-descriptor>
<check-auth-on-forward/>
</container-descriptor>
Jerry Tom
Greenhorn

Joined: May 30, 2006
Posts: 1
I came across this problem recently too. Then I came to know that, if it is the weblogic trail version, only 5 logins are allowed at a given time and other users will get the 403 forbidden error.
Masrizal. Com
Greenhorn

Joined: Feb 12, 2009
Posts: 1
I just encounter the same thing on Weblogic 8.1.6. It seems like IE replace the page with the standard error if the login-error page is less than 1K. Make it bigger and you should see your own page.

www.masrizal.com
Shubham Vishi
Greenhorn

Joined: Oct 28, 2009
Posts: 3
Can some one tell how we are authenticating the User Name and Password.
I mean to say if i am giving a user name and password then from where i am doing the validation for the username and password.
There must be some list of User Names some where?
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6657
    
    5

The list comes from a file or database or LDAP or where ever you choose. You can configure the same based on the container.

By the way this is a zombie post. Its very old.


SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
Shubham Vishi
Greenhorn

Joined: Oct 28, 2009
Posts: 3
Can you please tell me the whole process to do the Form Based Authentication in weblogic. end to end

and whats meant by zombie?
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6657
    
    5

Shubham Vishi wrote:Can you please tell me the whole process to do the Form Based Authentication in weblogic. end to end


Well... thats what the documentation is for

A zombie post is an old post where the original author is probably not interested in the answer to the question anymore.

As for the form login setup, the WL docs has a separate section dedicated to it. Go through it and posts back here if you get stuck
Shubham Vishi
Greenhorn

Joined: Oct 28, 2009
Posts: 3
I have successfully implemented the Login functionality but there is another issue i am facing.

My functionality says that if the user Logs in there will be default page that should be shown, lets suppose 'loggedin.jsp'
Now in the action of Login.jsp i have specified j_security_check, so where should i specify 'loggedin.jsp' as the default page after login.

Also how to implement logout in weblogic?
dany yacoub
Greenhorn

Joined: Nov 24, 2009
Posts: 4
hi i know this is very old, but i'd like to revive it because i actually have the same problem,
did someone find a solution to this problem

when authenticating from a user in a wrong role the error page defined in <form-error-page> is wrong

thank you
Stijn de Witt
Greenhorn

Joined: Jul 29, 2010
Posts: 3
This topic may be very old, but it's not as old as the idea that there is no use in responding to threads that were started ages ago. Who cares whether the person who started the thread is still interested? The fact you got here proves that the information / questions in here are still current. Also, this thread scores high in search engines and it's questions remain unanswered, so if someone comes up with an answer, please post it.

That said, let's get back ontopic. You guys are saying that Firefox shows you the correct error page, but IE does not? That to me signals this:

HOW TO: Turn Off IE 5.x and 6.x "Show Friendly HTTP Error Messages"

This article is a bit old but I think it's still current for IE 7 & 8 as well. The key here is that IE will automagically replace server error pages with it's own 'friendly' error page if the server error page is smaller than a certain size:

"Several frequently-seen status codes have "friendly" error messages that Internet Explorer 5.x displays and that effectively mask the actual text message that the server sends. However, these "friendly" error messages are only displayed if the response that is sent to the client is less than or equal to a specified threshold. For example, to see the exact text of an HTTP 500 response, the content length must be greater than 512 bytes."

Since you are saying that Firefox displays your error page OK, I think this may be what is happening. Try adding some extra padding text to your error page and see if that helps. You can also consider setting up a proxy that intercepts the data sent between your browser and the website to figure out what actually is sent to the browser. One example is Fiddler, but there are more.

Good luck with it!

-Stijn

(edit: Shorter link to MS kb article, because site cut off the most relevant part of it)
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: WebLogic Form Based Authentication
 
Similar Threads
req.isUserInRole("admin"); return false??
Realm JDBC anormal behavior (newbie)
WebLogic Form-Based Authentication Problem
How to Secure a Struts application using Form Based Authentication
Problems with FORM Authentication