tags:

views:

22

answers:

1
Q: 

Configuring container-managed security in Weblogic

Anyone know of any guides for this? I'm a complete newbie to weblogic and to container-managed security. What I've done already is:

  1. setup an LDAP authenticator in Weblogic
  2. created a simple webapp in Eclipse
  3. Configure web.xml: Added security-constraint, security-role and login-config elements. The realm name used is "myrealm" which already exists in Weblogic. The role name I used is "Admin" which is a global role in Weblogic
  4. Create a simple jsp page "login.jsp". It doesn't actually do any logging in but just a Hello World type of thing. I set this page as form-login-page and form-error-page in login-config in web.xml
  5. Export this webapp to a war file and deploy it in Weblogic
  6. I test it by accessing http://weblogic-server/test/login.jsp, and I expect that I'll be asked to login using an LDAP user first. This doesn't happen, it just shows the Hello World jsp.

I've also tried adding a weblogic.xml to map the "Admin" role to a specific LDAP user (didn't work).

Any advice? It seems there's a lack of online references for this sort of thing (or I don't really know what I should be searching for)

Edit: I've also tried using BASIC auth instead of FORM (no luck)

My web.xml settings are below:

<security-constraint>
<display-name>Test SC</display-name>
<web-resource-collection>
    <web-resource-name>Test WR</web-resource-name>
    <url-pattern>/hello.jsp</url-pattern>
    <http-method>*</http-method>
</web-resource-collection>
<auth-constraint>
    <role-name>Admin</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>Admin</role-name>
</security-role>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>myrealm</realm-name>
</login-config>
+1  A: 

The login page must do some sort of logging in, with the 2 required fields. You have protect the hello_world.jsp page in the web.xml and go to that pages, the login page will be presented.

Edit: The order is incorrect: it should be security-constraint, login-config and security-role. Within the web-resource-collection the value of * is invalid for http-method. If you want to protect every method just leave it away.

Note: the server logging whould have hinted the incorrect order of elements in your web.xml.

Salandur  2010-10-14 08:32:34
I've tried this, but I'm still getting the hello world page and not getting the login page. I haven't implemented the logging in, I just want to see the redirect to the login page first =/
Roy Tang  2010-10-14 08:46:32
then your security constraint is most likely incorrect, can you update your question with the relevant sections?
Salandur  2010-10-14 08:54:41
updated the question, thanks!
Roy Tang  2010-10-14 09:33:16
updated answer :)
Salandur  2010-10-14 10:33:00
It worked! Thanks :D
Roy Tang  2010-10-15 06:13:40

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security