This week's book giveaway is in the Other Open Source APIs forum. We're giving away four copies of Storm Applied and have Sean Allen, Peter Pathirana & Matthew Jankowski on-line! See this thread for details.
We are currently developing a application where we have to secure all the web resources (like html, jsps). We use our domain name as Domain http://www.mydomain.com. Our environment is Application Server - WebSphere Application Server 4.01 Web Server - IBMHTTP Server 1.3 Operation System - Sun Solaris 2.8 I have set up a sample application which has page1.html, page2.html, error.html, login.jsp. The login.jsp is using the J2EE Standard login form with action as "j_security_check". We are using the LTPA Custom User Registry with Form Based Authentication. While working with the example given in the IBM WebSphere V4.0 which uses FileRegistrySample.java implementing the CustomRegistry interface, we are experiencing problems with form-based authentication. But the HTTP Basic authentication works for the same set of files. Scenario 1(enter correct password - fails) When I try to access the www.mydomain.com/test/page1.html, it is properly going to login.jsp (as defined in web.xml as the form-login-page). If I enter correct username/password, my browser is redirected to login.jsp instead of page1.html. Scenario 2(enter wrong password) When I try to access the www.mydomain.com/test/page1.html, it is properly going to login.jsp. If I enter wrong user name it is properly redirecting to error.html as defined in web.xml. Would appreciate it very much if you could help shed some light on the problem we are facing. Below are the security settings in Websphere and the web.xml file. Our Security Setting in the Admin console is: Under General Tab: Checked the "Enable Security" Under Authentication Tab: in LTPA Settings Token Expiration 120 minutes Enabled SSO Domain http://www.mydomain.com our web.xml entries are
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
The first pointer I'd give is that after 2 or more weeks of trying and playing, we could only get Form based authentication to work on 4.0.3 We haven't tried it on 4.0.5 yet, but 1, 2 and 4 just don't work. We were running Win NT, WS 4.05, SecureWay (dunno the version) Another thing to be wary of is the LTPAtoken timeout. It is an absolute value per domain. ie if you set it to 15 minutes, the LTPAtoken will expire every 15 minutes on the minute regardless of user activity. If you set the session timout to a value less than the LTPA timeout, it will hand out a new session without informing you as long as the LTPAtoken is still valid. This is very annoying behaviour. We're looking at work arounds, but so far we've been blocked at every turn. Dave
Joined: Feb 10, 2003
David, We changed our environment to Application Server - WebSphere Application Server 4.03 Web Server - IBMHTTP Server 1.3 Operation System - Windows 2000 I have set up a sample application which has page1.html, page2.html, error.html, login.jsp. The login.jsp is using the J2EE Standard login form with action as "j_security_check". We are using the LTPA Custom User Registry with Form Based Authentication. While working with the example given in the IBM WebSphere which uses FileRegistrySample.java implementing the CustomRegistry interface, and still we are experiencing the same problem. Our web.xml remains the same as given in my first posting. Could you please let me know how you managed to get this working in WebSphere Application Server 4.03.