I'm using the JDBCRealm with tomcat 7. I want to build a simple login page.
This is my login form:
Login Form
and my web.xml content is:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/user/login.jsp</form-login-page>
<form-error-page>/user/login-failed.html</form-error-page>
</form-login-config>
</login-config>
I want to redirect the user to some a.jsp page once he was authenticated.
How can I do that?
Thing I understood that you want to redirect your user depends upon the role.Suppose if user is admin then he/she should be redirected to admin.jsp (for example) and if user is on manger role and he/she should be redirected to manager.jsp.
Let us suppose you have two roles admin and manager defined in your JDBCRealm
You can do this by Creating a servlet in project for example LoginServlet.java
So things you have to set are:
Create your login.jsp and login-failed.html as you mentioned.
Create to two jsp pages admin.jsp and manager.jsp under any folder in WebContent of dynamic web project
say :
WebContent/htmlPages/admin.jsp put
<h4>Welcome Admin</h4>text in body tag.
WebContent/htmlPages/manager.jsp put
<h4>Welcome Admin</h4>text in body tag.
In LoginServlet.jsp in doGet MEthod
put this simple code:
if(request.isUserInRole("admin"))
{
response.sendRedirect("htmlPages/admin.jsp");
}
if(request.isUserInRole("manager")){
response.sendRedirect("htmlPages/manager.jsp");
}
After that you have to set welcome-files as the login servletin web.xml
e.g.
Suppose IN web.xml your servlet entry is
<servlet>
<description></description>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>Fully classified name of LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/loginServlet</url-pattern>
</servlet-mapping>
Then get url pattern from Servlet Mapping and put it in welcome file list without any slash:
like
<welcome-file-list>
<welcome-file>loginServlet</welcome-file>
</welcome-file-list>
Be sure that no slash has been included. Welcome file attribute should be without slash as i put in code loginServlet.
Run this code.:-) You would get redirected to appropriate jsp page.
You don't. That isn't how FORM authentication works. The user requests a page. If it requires authentication then they receive the login page rather than the page they requested. They then enter their credentials and if valid get presented with the page they originally requests.
If you insist on misusing the FORM authentication process you can set the landingPage attribute of the org.apache.catalina.authenticator.FormAuthenticator. See the docs (http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Form_Authenticator_Valve) for full details.
Related
How can you redirect the page if the user does not logged in in velocity machine? for example when you visit a another page it will redirect to login page to view the that another page, do I need a conditonal on that?
I believe that you are using SpringFramework in your project.
You could simply add an interceptor to check whether the user has logged in or not and redirect him. You could also add a filter in web.xml file to do the same.
I am a newbie to MuleESB. I want to create a registration form using Mule but I am stuck.
I don't know how to display index.jsp on start-up of your application. I already gone through BookStore example but couldn't get efficient information.
I created a web.xml under src->main->app->webapps->WEB-INF->web.xml
*<web-app....>
<listener>
<listener-class>org.mule.config.builders.MuleXmlBuilderContextListener</listener-class>
</listener>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>*
Any Help or suggestions.
You're missing a web application context directory under: src->main->app->webapps->WEB-INF->web.xml, ie you should have something like: src->main->app->webapps->my-context->WEB-INF->web.xml.
Follow the BookStore example carefully and you should have no difficulty reaching your goal.
I have configured FBA on Sharepoint 2010 site. And its working fine when I use the OOTB login page which is available at _form/default.aspx.
Now I have created my own Login.aspx page and configured the web application to get redirected to this custom page. This page I have kept it at Layouts/CustomFBA/Login.aspx location under 14 Hive. I followed this blog post to create and configure the login page.
I have included a user sign in page link at the bottom of this login page which is another application page.
I have updated the web.config of the web application to allow users to reach to the user sign-in page without getting authenticated or redirected to login page again. Ideally this should work, but somehow whenever I click that link I am being redirected back to the login page. I will really appreciate if somebody can help me in this regard
==========================================================
As I have mentioned earlier,the custom login page is working perfectly fine. But, I have link on the login page which take the users to a sign-in(UserSignin.aspx) page which is also kept in the /_layouts/CustomFBA/ folder. The problem is when I click the link, I am coming back to the Login page again.
As per some of the blog which I read, they have mentioned to allow user to view such page which should not ask for any authentication, we have to include the tag (mentioned by djeeg) in web.config of the web application. So I have done that as well.
But this is also not resolving the problem. I am still coming back to Login.aspx page when I click that "Sign-in" link on the Custom Login Page. I hope I have made my problem clear here.
Thanks & Regards,
Paddy
By default, SharePoint application pages added in Visual Studio inherit from the LayoutsPageBase class (MSDN: represents an application page to which access can be limited to users that possess certain rights).
Change the base class of the UserSignin.aspx page to UnsecuredLayoutsPageBase (MSDN: represents the base class for application pages that explicitly do not require the user to have any permissions, such as the access denied page).
Try adding this to your web.config
<location path="_layouts/CustomFBA/Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
That should then allow anonymous access to your custom login page
This is driving me nuts.
I'm using Tomcat 6, declaritive authentication, form based. No framework involved.
Everything works ok - some pages authenticated, some not, some use https, some http. Everything as I want it. EXCEPT...
I want the login page to always use https.
The login page comes up nicely as https if:
a) I go to it directly in the browser.
b) I click on a page in the application that is configured for https (and requires authentication).
BUT the login page comes up as http if:
a) I click on a page in the application that is configured for http (and requires authentication).
I've a feeling I'm up against some sort of accepted default here and that an answer might be "why would you want an https login to get to a non-https page?".
Its like this:
a) I want passwords to be encrypted.
b) I want users to login to show which role (group) they belong to in order to enable/disable parts of the web site.
c) I dont want a drop in performance due to https except where absolutely necessary.
I guess if the login page is forced to be https (like I want it to be) then there has to be a mechanism to put it back to http.
If anyone has some pointers/ideas around this whole area I'd be very very greatful.
web.xml fragments:
<security-constraint>
<display-name>Security Constraint A0S1</display-name>
<web-resource-collection>
<web-resource-name>A0S1</web-resource-name>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/form_login.jsp</form-login-page>
<form-error-page>/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
This was about ensuring login page is https even when the page requiring authentication is not set as CONFIDENTIAL in web.xml.
I've ended up writing a little servlet that allows me to switch to https (or http) rather than rely on web.xml CONFIDENTIAL config settings. The CONFIDENTIAL settings dont seem to work when you arrive at a jsp page through the login or through another servlet.
So now the config for the FORM authentication in web.xml points to a servlet (SSLSwitch) which takes a couple of arguments (url + desired protocol http/https) and redirects to the actual login page with https:
/SSLSwitch?the_url=/login/form_login.jsp&the_target=https;
/login/error.jsp
SSLSwitch Servlet active code fragment:
String contextPath = request.getContextPath();
String encodedUrl = response.encodeURL(contextPath + url);
String fullUrl = target_domain + encodedUrl;
response.sendRedirect(fullUrl);
The jsp login page itself follows the usual FORM login rules (action="j_security_check") and you end up on the requested page after login ok.
I now need to look at what I can do to improve session security after switching from https to http. Maybe a filter to check user's IP doesnt change during a session.
Steven.
I've created a small web application using AppFuse(with JSP as Web Framework) and RichFaces. There is a page that uses rich:dataTable that should be accessible without authentication.
To make this page public I put it into a folder called "public" and added the following line to the security.xml:
<intercept-url pattern="/public/*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
The page is now accessible without authentication but the dataTable has no skin as the required CSS files are stored in a folder that apparently requires authentication...
RichFaces Skin CSS files are accessed at this path:
/a4j/s/3_3_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAELXT5DOhSIAQ!sA18_.html
And when I try to access the files I get redirected to the login page.
So how do I allow unauthorized users to access these CSS files?
Thanks, Tom
EDIT: I've already tried adding the line below to security.xml but it didn't work:
<intercept-url pattern="/a4j/*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
Solved problem by changing the line from my edit to:
<intercept-url pattern="/a4j/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
The second * does the trick...but I don't know why. :)