In this scenario, the browser and an instance of WebLogic Server interact in the following manner to authenticate a user see Figure :. The Web server plug-in performs authentication by sending the request, via the HTTP protocol, to WebLogic Server, along with the authentication data user name and password received from the user.
In this scenario, the browser and WebLogic Server instance interact in the following manner to authenticate and authorize a user see Figure :. When you use any type of authentication, all Web applications that use the same cookie name use a single sign-on for authentication. Once a user is authenticated, that authentication is valid for requests to any Web Application that uses the same cookie name.
The user is not prompted again for authentication. If you want to require separate authentication for a Web application, you can specify a unique cookie name or cookie path for the Web application. Specify the cookie name using the CookieName parameter and the cookie path with the CookiePath parameter, defined in the WebLogic-specific deployment descriptor weblogic.
If you want to retain the cookie name and still require independent authentication for each Web application, you can set the cookie path parameter CookiePath differently for each Web application.
This feature enables Web site designers to prevent session stealing. A common Web security problem is session stealing. This happens when an attacker manages to get a copy of your session cookie, generally while the cookie is being transmitted over the network. This can only happen when the data is being sent in clear-text; that is, the cookie is not encrypted.
Once the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser. A secure cookie is only sent when an encrypted communication channel is in use. With this feature enabled, once you have logged in over HTTPS, the secure cookie is only sent encrypted over the network and therefore can never be stolen in transit.
Therefore, a Web site designer can ensure that session stealing is not a problem by making all sensitive data require HTTPS. WebLogic Server supports three types of authentication for Web browsers:.
The following sections cover the different ways to use these types of authentication:. With basic authentication, the Web browser pops up a login screen in response to a WebLogic resource request.
The login screen prompts the user for a user name and password. Figure shows a typical login screen. To develop a Web application that provides basic authentication, perform these steps:.
The browser caches user credentials and frequently re-sends them to the server automatically. This can give the appearance that WebLogic Server sessions are not being destroyed after logout or timeout. Depending on the browser, the credentials can be cached just for the current browser session, or across browser sessions.
You can validate that a WebLogic Server's session was destroyed by creating a class that implements the javax.
HttpSessionListener interface. Implementations of this interface are notified of changes to the list of active sessions in a web application.
To receive notification events, the implementation class must be configured in the deployment descriptor for the web application in web. Write and deploy the session listener class.
The example shown in Listing uses a simple counter to track the session count. When using FORM authentication with Web applications, you provide a custom login screen that the Web browser displays in response to a Web application resource request and an error screen that displays if the login fails. Figure shows a typical login screen generated using a JSP and Listing shows the source code. Figure shows a typical login error screen generated using HTML and Listing shows the source code.
You use identity assertion in Web applications to verify client identities for authentication purposes. When using identity assertion, the following requirements must be met:.
You use two-way SSL in Web applications to verify that clients are whom they claim to be. When using two-way SSL, the following requirements must be met:. The Servlet 2. WebLogic Server 9. Authentication will be attempted in the order the values are defined in the auth-method list. For example, you can define the following auth-method list in the login-config element of your web. The auth-method authentication security can be configured in two ways:.
To deploy a Web application on a server running in development mode, perform the following steps:. If the WebLogic Server instance is running, the application should auto-deploy. Use the Administration Console to verify that the application deployed. If the WebLogic Server instance is not running, the Web application should auto-deploy when you start the server.
Which of these three methods is used is defined by the JACC flags and the security model. To implement declarative security in Web applications, you can use deployment descriptors web.
And at runtime, the servlet container uses the security definitions to enforce the requirements. For a discussion of using deployment descriptors, see Developing Secure Web Applications. For information about how to use deployment descriptors and the externally-defined element to configure security in Web applications declaratively, see externally-defined. The following topics describe the deployment descriptor elements that are used in the web.
The following web. The optional auth-constraint element defines which groups or principals have access to the collection of Web resources defined in this security constraint. The following table describes the elements you can define within an auth-constraint element. The auth-constraint element is used within the security-constraint element.
See Listing for an example of how to use the auth-constraint element in a web. The security-constraint element is used in the web. The following table describes the elements you can define within a security-constraint element.
Listing shows how to use the security-constraint element to defined security for the SecureOrdersEast resource in a web. The security-role element contains the definition of a security role. The definition consists of an optional description of the security role, and the security role name. The following table describes the elements you can define within a security-role element. See Listing for an example of how to use the security-role element in a web. This extra layer of abstraction allows the servlet to be configured at deployment without changing servlet code.
The following table describes the elements you can define within a security-role-ref element. See Listing for an example of how to use the security-role-ref element in a web. The user-data-constraint element defines how data communicated between the client and the server should be protected.
The following table describes the elements you can define within a user-data-constraint element. The user-data-constraint element is used within the security-constraint element. See Listing for an example of how to use the user-data-constraint element in a web. The web-resource-collection element identifies a subset of the resources and HTTP methods on those resources within a Web application to which a security constraint applies.
The following table describes the elements you can define within a web-resource-collection element. The web-resource-collection element is used within the security-constraint element. See Listing for an example of how to use the web-resource-collection element in a web. The following weblogic. Viewed 21k times. What could be the reason behind this? Improve this question.
According to the JavaDoc "Returns the login of the user making this request, if the user has been authenticated, or null if the user has not been authenticated. Add a comment. Active Oldest Votes. Improve this answer. CoolBeans CoolBeans If yes, get the logged in username by SecurityContextHolder. The doc says why you're getting null: Returns the login of the user making this request, if the user has been authenticated, or null if the user has not been authenticated. You need to investigate the browser that's causing the problem.
Jeremy Jeremy Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. Have you read the upgrade guide? Add a comment. Active Oldest Votes. I can answer the 2nd part of your question. Improve this answer.
JoseK JoseK Birendra Mishra Birendra Mishra 51 1 1 bronze badge. Perception Venkat Maddala Venkat Maddala 11 1 1 bronze badge. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Making Agile work for data science. Stack Gives Back Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Related 0.
0コメント