aspose file tools*
The moose likes Websphere and the fly likes WAS Form based login Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Websphere
Bookmark "WAS Form based login" Watch "WAS Form based login" New topic
Author

WAS Form based login

Hari RamKrish
Greenhorn

Joined: Feb 10, 2003
Posts: 5
We are currently developing a application where we have to secure all the web resources (like html, jsps). We use our domain name as Domain http://www.mydomain.com.
Our environment is
Application Server - WebSphere Application Server 4.01
Web Server - IBMHTTP Server 1.3
Operation System - Sun Solaris 2.8
I have set up a sample application which has page1.html, page2.html, error.html, login.jsp.
The login.jsp is using the J2EE Standard login form with action as "j_security_check".
We are using the LTPA Custom User Registry with Form Based Authentication. While working with
the example given in the IBM WebSphere V4.0 which uses FileRegistrySample.java implementing
the CustomRegistry interface, we are experiencing problems with form-based authentication. But the HTTP Basic authentication works for the same set of files.
Scenario 1(enter correct password - fails)
When I try to access the www.mydomain.com/test/page1.html, it is properly going to login.jsp (as defined in web.xml as the form-login-page). If I enter correct username/password, my browser is redirected to login.jsp instead of page1.html.
Scenario 2(enter wrong password)
When I try to access the www.mydomain.com/test/page1.html, it is properly going to
login.jsp. If I enter wrong user name it is properly redirecting to error.html as defined
in web.xml.
Would appreciate it very much if you could help shed some light on the problem we are facing. Below are the security settings in Websphere and the web.xml file.
Our Security Setting in the Admin console is:
Under General Tab:
Checked the "Enable Security"
Under Authentication Tab:
in LTPA Settings
Token Expiration 120 minutes
Enabled SSO
Domain http://www.mydomain.com
our web.xml entries are



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

<web-app id="WebApp_ID">

<security-constraint id="SecurityConstraint_1">

<web-resource-collection id="WebResourceCollection_1">

<web-resource-name>test</web-resource-name>

<url-pattern>/test1.html</url-pattern>

<url-pattern>/test2.html</url-pattern>

<url-pattern>/page1.html</url-pattern>

<url-pattern>/page2.html</url-pattern>

<url-pattern>/test.jsp</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint id="AuthConstraint_1">

<description>All role :+:</description>

<role-name>Administrator</role-name>

<role-name>Users</role-name>

<role-name>Operators</role-name>

</auth-constraint>

<user-data-constraint id="UserDataConstraint_1">

<transport-guarantee>NONE</transport-guarantee>

</user-data-constraint>

</security-constraint>

<login-config id="LoginConfig_1">

<auth-method>FORM</auth-method>

<realm-name>TestApp</realm-name>

<form-login-config id="FormLoginConfig_1">

<form-login-page>/login.jsp</form-login-page>

<form-error-page>/error.html</form-error-page>

</form-login-config>

</login-config>

<security-role id="SecurityRole_3">

<description>Operator</description>

<role-name>Administrator</role-name>

</security-role>

<security-role id="SecurityRole_4">

<description>Users</description>

<role-name>Users</role-name>

</security-role>

<security-role id="SecurityRole_1">

<description>Operators</description>

<role-name>Operators</role-name>

</security-role>

</web-app>
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

The first pointer I'd give is that after 2 or more weeks of trying and playing, we could only get Form based authentication to work on 4.0.3
We haven't tried it on 4.0.5 yet, but 1, 2 and 4 just don't work.
We were running Win NT, WS 4.05, SecureWay (dunno the version)
Another thing to be wary of is the LTPAtoken timeout. It is an absolute value per domain. ie if you set it to 15 minutes, the LTPAtoken will expire every 15 minutes on the minute regardless of user activity. If you set the session timout to a value less than the LTPA timeout, it will hand out a new session without informing you as long as the LTPAtoken is still valid. This is very annoying behaviour.
We're looking at work arounds, but so far we've been blocked at every turn.
Dave
Hari RamKrish
Greenhorn

Joined: Feb 10, 2003
Posts: 5
David,
We changed our environment to
Application Server - WebSphere Application Server 4.03
Web Server - IBMHTTP Server 1.3
Operation System - Windows 2000
I have set up a sample application which has page1.html, page2.html, error.html, login.jsp.
The login.jsp is using the J2EE Standard login form with action as "j_security_check".
We are using the LTPA Custom User Registry with Form Based Authentication. While working with
the example given in the IBM WebSphere which uses FileRegistrySample.java implementing
the CustomRegistry interface, and still we are experiencing the same problem. Our web.xml
remains the same as given in my first posting.
Could you please let me know how you managed to get this working in
WebSphere Application Server 4.03.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: WAS Form based login