Hi All,

I'm trying to secure a web application running on Web As 7. I created a login module stack and put it into web-j2ee-engine.xml along with the security role map...

<login-module-configuration>

<login-module-stack>

<login-module>

<login-module-name>EvaluateTicketLoginModule</login-module-name>

<flag>sufficient</flag>

<options>

<option>

<name>ume.configuration.active</name>

<value>true</value>

</option>

</options>

</login-module>

<login-module>

<login-module-name>BasicPasswordLoginModule</login-module-name>

<flag>requisite</flag>

</login-module>

<login-module>

<login-module-name>CreateTicketLoginModule</login-module-name>

<flag>optional</flag>

<options>

<option>

<name>ume.configuration.active</name>

<value>true</value>

</option>

</options>

</login-module>

</login-module-stack>

<password-change-config/>

</login-module-configuration>

<security-role-map>

<role-name>AppEveryone</role-name>

<server-role-name>all</server-role-name>

</security-role-map>

Then I added the auth-method, security-role, and security-constraint to the web.xml file...

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>AppRealm</realm-name>

</login-config>

<security-role>

<description>AppEveryone</description>

<role-name>AppEveryone</role-name>

</security-role>

<security-constraint>

<web-resource-collection>

<web-resource-name>General access restriction</web-resource-name>

<description>

</description>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<description>AppEveryone</description>

<role-name>AppEveryone</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>NONE</transport-guarantee>

</user-data-constraint>

</security-constraint>

... and everything works fine. If the user allready has a logon ticket they get right into the application, and if they don't have a ticket, a standard web-browser dialogue box pops-up and asks for a username and password. If they authenticate with the dialogue box, they are then given a logon ticket and sent to the application.

So now I want to use an html page rather than the dialog-pop-up box for entering the username and password. So from what I can tell, I still need to use the BasicPasswordLoginModule but I need to change the login-config section of web.xml.

So I changed the <login-config> section of the web.xml to this...

<login-config>

<auth-method>FORM</auth-method>

<realm-name>AppRealm</realm-name>

<form-login-config>

<form-login-page>/login.html</form-login-page>

<form-error-page>/error.html</form-error-page>

</form-login-config>

</login-config>

I then created the login.html and error.html files and put them in the same directory as the .WAR file (I also put copies in the \root directory incase my path wasn't right). They are as follows...

<b>login.html</b> -

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>Login Test: Login Form</title>

</head>

Login Form

Welcome to the login page.

You will have to authenticate to get access to the secure area: <form method="POST" action="j_security_check"> Username: <input type="text" name="j_username">

Password: <input type="password" name="j_password">

<input type="submit" value="Login"> <input type="reset" value="Reset">

</form>

</html>

<b>error.html</b> -

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>Login Test: Error logging in</title>

</head>

<body bgcolor="#FFFFFF">

Error Logging In...

I am sorry, you must have put in the wrong username/password.

</body>

</html>

But for whatever reason I'm still getting the browser pop-up box instead of my form when I try to access the application. What am I doing wrong? I am making all these changes after the app has been deployed, do these changes to the xml files need to be done during the build phase? If anybody has any ideas please let me know... you will be rewarded.