cancel
Showing results for 
Search instead for 
Did you mean: 

Java FORM authentication failing

Former Member
0 Kudos

Hi

I'm trying to create custom pages for FORM authentication of a Java web app, but keep getting strange errors. Please could someone point out what I'm doing wrong.

I've created custom pages for login, login-error, password-change, and password-change-error (as per config requirements).

When the user navigates to the web app, they're correctly sent to the login page. Authentication seems to work the first time. Then they log out and are redirected back to the login page. All fine so far. However, when trying to log in again, they're redirected to an error page (HTTP 404).

This is very strange, as the login worked fine the first time, but not the second time. Huh?!?!

Below is sample code (all based on the SAP Help docs):

web-j2ee-engine.xml

<web-j2ee-engine>
	<spec-version>2.4</spec-version>
	
	<security-role-map>
		<role-name>Administrator</role-name>
		<server-role-name>My Administrators Role</server-role-name>
	</security-role-map>

	<login-module-configuration>
		<password-change-config>
			<login-page>change-password.jsp</login-page>
			<error-page>change-password-error.jsp</error-page>
		</password-change-config>
		
		
		<security-policy-domain>/TestWeb</security-policy-domain>
	</login-module-configuration>
</web-j2ee-engine>

web.xml

<web-app>
  <display-name>Test Web App</display-name>
  <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>

  <login-config>
   <auth-method>FORM</auth-method>
   <form-login-config>
     <form-login-page>/login.jsp</form-login-page>
     <form-error-page>/login-error.jsp</form-error-page>
   </form-login-config> 
  </login-config>

  <security-role>
    <description>Admin role</description>
    <role-name>Administrator</role-name>
  </security-role>

  <security-constraint>
    <display-name>SecureConstraint</display-name>
    <web-resource-collection>
      <web-resource-name>WebResource</web-resource-name>
      <url-pattern>/index.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description>Admin protected authorisation</description>
      <role-name>Administrator</role-name>
    </auth-constraint>
  </security-constraint>
</web-app>

login.jsp

<%@ page language="java" %>
<html>
<body>
<form name="loginForm" method="POST" action="j_security_check">
	Username: <input type="text" name="j_username"><br/>
	Password: <input type="password" name="j_password"><br/>
	<input type="submit" value="submit" />
</form>
</body>
</html>

change-password.jsp

<%@ page language="java" %>
<html>
<body>

<form name="loginChangePasswordForm" method="POST" action="sap_j_security_check">
	Current Password: <input type="text" name="j_sap_current_password" /><br/>
	New Password: <input type="password" name="j_sap_password" /><br/>
	Confirm New Password: <input type="password" name="j_sap_again" /><br/>
	<input type="submit" value="submit" />
</form>

</body>
</html>

logout.jsp

<%@ page language="java" %>

<%

request.getSession().invalidate();
response.sendRedirect("login.jsp");

%>

Any help would be greatly appreciated!

Thanks

Stuart

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Any feedback on this?

I'm still stuck with it and battling to get any help from SAP (but still trying).

Former Member
0 Kudos

Hello Stuart,

the problem is in the logout.jsp page. After invalidating the session you are redirecting to login.jsp but it is not supposed to be called directly.

Please try redirecting to index.jsp instead. As the session is invalidated reauthentication will be caused and the login page will display again.

Best regards,

Tanya

Former Member
0 Kudos

Thanks very much for your response... changing the redirect seems to work.

But the exact same code works perfectly on Sun Java Application Server 9.1

Why is there inconsistency across platforms on something so fundamental?

My opinion is that SAP's implementation is incorrect - but stand to be corrected on this. Why should the login page not be called directly? Any ideas?

Former Member
0 Kudos

Ah... there's a problem. The suggestion did not work after all!

It only works if you don't navigate to a specific page. This is a VERY weird login process! Not standard at all.

I would upload demo code, but this forum won't allow attachments.

Will try put an explanation together and post it up later.

Thanks

Stuart

Former Member
0 Kudos

Just as a follow-up to this. It seems that calling HttpSession.invalidate() doesn't actually invalidate the session, as I'm still able to navigate to secured pages (without logging in again) after this call has been made.

Any thoughts on why this might be happening?

Former Member
0 Kudos

Please ignore my post about the HttpSession.invalidate(). It seems invalidation does occur, but the browser was loading cached pages.

I'm still having the HTTP 404 error when trying to log in again after logging out. Any ideas on that?