views:

22

answers:

1

Anyone know of any guides for this? I'm a complete newbie to weblogic and to container-managed security. What I've done already is:

  1. setup an LDAP authenticator in Weblogic
  2. created a simple webapp in Eclipse
  3. Configure web.xml: Added security-constraint, security-role and login-config elements. The realm name used is "myrealm" which already exists in Weblogic. The role name I used is "Admin" which is a global role in Weblogic
  4. Create a simple jsp page "login.jsp". It doesn't actually do any logging in but just a Hello World type of thing. I set this page as form-login-page and form-error-page in login-config in web.xml
  5. Export this webapp to a war file and deploy it in Weblogic
  6. I test it by accessing http://weblogic-server/test/login.jsp, and I expect that I'll be asked to login using an LDAP user first. This doesn't happen, it just shows the Hello World jsp.

I've also tried adding a weblogic.xml to map the "Admin" role to a specific LDAP user (didn't work).

Any advice? It seems there's a lack of online references for this sort of thing (or I don't really know what I should be searching for)

Edit: I've also tried using BASIC auth instead of FORM (no luck)

My web.xml settings are below:

<security-constraint>
<display-name>Test SC</display-name>
<web-resource-collection>
    <web-resource-name>Test WR</web-resource-name>
    <url-pattern>/hello.jsp</url-pattern>
    <http-method>*</http-method>
</web-resource-collection>
<auth-constraint>
    <role-name>Admin</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>Admin</role-name>
</security-role>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>myrealm</realm-name>
</login-config>
+1  A: 

The login page must do some sort of logging in, with the 2 required fields. You have protect the hello_world.jsp page in the web.xml and go to that pages, the login page will be presented.

Edit: The order is incorrect: it should be security-constraint, login-config and security-role. Within the web-resource-collection the value of * is invalid for http-method. If you want to protect every method just leave it away.

Note: the server logging whould have hinted the incorrect order of elements in your web.xml.

Salandur
I've tried this, but I'm still getting the hello world page and not getting the login page. I haven't implemented the logging in, I just want to see the redirect to the login page first =/
Roy Tang
then your security constraint is most likely incorrect, can you update your question with the relevant sections?
Salandur
updated the question, thanks!
Roy Tang
updated answer :)
Salandur
It worked! Thanks :D
Roy Tang