views:

19

answers:

1

I've created a custom Weblogic Security Authentication Provider on version 10.3 that includes a custom login module to validate users. As part of the provider, I've implemented the ServletAuthenticationFilter and added one filter. The filter acts as a common log on page for all the applications within the domain.

When we access any secured URLs by entering them in the address bar, this works fine in IE and Firefox. But when we bookmark the link in IE an odd thing happens. If I click the bookmark, you will see our log on page, then after you've successfully logged into the system the basic auth page will display, even though the user is already authenticated. This never happens in Firefox, only IE. It's also intermittent. 1 time out of 5 IE will correctly redirect and not show the basic auth window. Firefox and Opera will correctly redirect everytime. We've captured the response headers and compared the success and failures, they are identical.

final boolean isAuthenticated = authenticateUser(userName, password, req);

        // Send user on to the original URL
        if (isAuthenticated) {
            res.sendRedirect(targetURL);
            return;
        }

As you can see, once the user is authenticated I do a redirect to the original URL. Is there a step I'm missing? The authenticateUser() method is taken verbatim from an example in Oracle's documents.

private boolean authenticateUser(final String userName, final String password, HttpServletRequest request) {

    boolean results;

    try {
        ServletAuthentication.login(new CallbackHandler() {

            @Override
            public void handle(Callback[] callbacks)
                    throws IOException, UnsupportedCallbackException {

                for (Callback callback : callbacks) {
                    if (callback instanceof NameCallback) {
                        NameCallback nameCallback = (NameCallback) callback;
                        nameCallback.setName(userName);
                    }

                    if (callback instanceof PasswordCallback) {
                        PasswordCallback passwordCallback = (PasswordCallback) callback;
                        passwordCallback.setPassword(password.toCharArray());
                    }
                }
            }
        }, request);
        results = true;
    } catch (LoginException e) {
        results = false;
    }

    return results;

I am asking the question here because I don't know if the issue is with the Weblogic config or the code. If this question is more suited to ServerFault please let me know and I will post there.

It is odd that it works everytime in Firefox and Opera but not in Internet Explorer. I wish that not using Internet Explorer was an option but it is currently the company standard. Any help or direction would be appreciated. I have tested against IE 6 & 8 and deployed the custom provider on 3 different environments and I can still reproduce the bug.

A: 

We figured it out.

The fix was to disable auth cookies on the weblogic server. For some reason Internet Explorer would lose the cookie causing Weblogic to think the session was being hacked. That is what prompted the basic auth login.

We still don't know what was causing IE to lose the cookie but this provider is for an intranet so the fix won't harm our overall security.

I hope this helps someone else.

James