If nothing else,
the ATM uses form based authentication.
> -----Ursprungligt meddelande-----
> Från: Chris Bartling [mailto:[EMAIL PROTECTED]]
> Skickat: den 6 februari 2001 04:42
> Till: Orion-Interest
> Ämne: RE: Form-based authentication not working right
>
>
> Gerald,
>
> I've been working with Form-based authentication for the past
> several weeks
> on iPlanet 6.0. Looking at your web.xml deployment
> descriptor, it looks
> like that's OK. You aren't using a user-data-constraint, but it's not
> required either. Check out the J2EE specs and Blueprints for more
> information.
>
> I've used subdirectories for securing my pages, but your
> single JSP URL
> should work fine in this situation. It sounds like the form
> authentication
> is being triggered properly and it presenting you the correct form.
> However, the Orion form authentication impl. does not seem to
> forward you
> onto the originally requested resource (/SecuredPage.jsp).
> Is there any
> sort of example provided by Orion for testing form-based
> authentication? I
> would try that if one exists. Otherwise, I would submit a
> bug through the
> Orion Bugzilla.
>
> This form-based authentication seems to be a feature that is not well
> supported at the moment by other EJB servers. I've been
> fighting with it in
> iPlanet for a while. If I can get a chance some night this week, I'll
> attempt to get my example of form-based authentication to
> work on Orion and
> then send out the results to the list.
>
>
> -- chris --
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Gerald
> Gutierrez
> Sent: Monday, February 05, 2001 5:52 PM
> To: Orion-Interest
> Cc: [EMAIL PROTECTED]
> Subject: Form-based authentication not working right
>
>
>
> Recently I asked about form-based authentication. I
> appreciate the help
> several people gave, but from the responses I got it seems
> that I might
> have miscommunicated somehow. I'm going to try again, this
> time explaining
> myself better.
>
> I'm using Orion 1.4.5 on Windows 2000. The same thing happens on Orion
> 1.3.8.
> I have a number of JSP pages in the directory /app:
>
> MainMenu.jsp -- the main menu
> SecuredPage.jsp -- a secured page, see only when authenticated
> LoginForm.jsp -- form for logging in
> LoginError.jsp -- form displayed when there's an error
>
> The user goes to MainMenu.jsp, where there is a link to
> SecuredPage.jsp. To
> view this page, the user must be authenticated. The authenticated is
> form-based.
>
> This is what should (CORRECTLY) happen:
>
> 1) User goes to MainMenu.jsp.
> 2) User clicks on link to SecuredPage.jsp.
> 3) User is presented with LoginForm.jsp.
> 4) User types in username and password.
> 5a) Login succeeds and SecuredPage.jsp is shown to user.
> 5b) Login fails and LoginError.jsp is shown to user.
>
> HOWEVER, this is the (INCORRECT) sequence of events that I
> actually get:
>
> 1) -- as before --
> 2) -- as before --
> 3) -- as before --
> 4) -- as before --
> 5a) Login succeeds and directory contents is shown to user.
> 5b) Login fails and directory contents is shown to user.
>
> Note the same (WRONG) thing happens whether or not the user
> authenticates
> properly. The directory contents is the list of JSP files
> that I have in
> /app.
>
>
> So ... what's wrong here? It redirects to my login form
> correctly. It just
> doesn't behave properly when I actually do the login (hit
> "j_security_check" with "j_username" and "j_password"). This is the
> relevant section of my web.xml file:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>LoginTrigger</web-resource-name>
> <description>LoginTrigger</description>
> <url-pattern>/SecuredPage.jsp</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>myuser</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>LoginForm.jsp</form-login-page>
> <form-error-page>LoginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role>
> <role-name>myuser</role-name>
> </security-role>
>
>
>
>
>
