Integrating login security with JSP and Websphere

Posted on 2012-03-14
Last Modified: 2012-08-14
Hi. As mentioned in the topic, I am designing a log-in that caters to both internal and external users by utilizing JSP. My applications are hosted on Websphere and my users are on an Active Directory. I will be relying on Form Authentication, "j_security_check", and "request.getRemoteUser()".

The basic idea is for people to access the application directly if they are internal users within the domain that have been authenticated. For external users, they will be directed to a log-in page and upon successful authentication, will be directed to the application. The application I currently have is just to display a "Hello, <user>".

A brief sequence would be:
- User to access /protected/index.jsp
- If not authenticated, to be directed back to /login.jsp
- Once authenticated, the index.jsp should display the User's ID

I am currently facing two problems. Below are the details.

My /WEB-INF/web.xml file as per the site here:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
<web-app version="2.5" xmlns="" xmlns:xsi="" xsi:schemaLocation="">
    <description>Try login page</description>
    <display-name>Login Page</display-name>
		<realm-name>Example Login</realm-name>

Open in new window

I gathered my login.jsp would be something like the site here.

The index.jsp is as follows:
        Hello1, <% request.getRemoteUser(); %>
	Hello2, <% request.getUserPrincipal().getName(); %>

Open in new window

First Problem: Error 403
When I try to access index.jsp, I am automatically redirected to login.jsp.  Incorrect login will redirect me to error.jsp. Correct login will result in a "http://<url>/j_server_check" with a "Error 403 : This website requires you to log in."
This means that it is actually working to verify with my Active Directory, but some settings require to be changed. My user in AD is under Administrator as well as Domain Admin so I am baffled why an Error 403 will occur.
Furthermore, I was previously unable to access the snoop page but after successful login with Error 403, I am able to access the snoop page but it indicates BASIC authentication. I am confused at this point.

Second Problem: Blank Username
I tried adjusting the web.xml to allow all users by changing variations of the <url-pattern>, the <auth-constraint>, as well as the <security-role>. In all ways of accessing the index.jsp, it all results in a blank result. Logging into the system as an internal and accessing the index.jsp, I am greeted with a "Hello, null." for both request.getRemoteUser() and request.getUserPrincipal().getName() which is equally frustrating.

I feel like I am pretty close to the solution, which I feel is somewhere within the settings. However, I hope someone who has experienced this before can shed light on this issue.

Thank you.
Question by:pcssecure
  • 5
  • 4
  • 2
LVL 27

Expert Comment

ID: 37723028
You can't make the login page protected -- people who are not logged in have to be able to get to it.  Typically you put all the pages which require login in a directory where you can put the url pattern and say the roles of users you allow.  You can also list urls explicitly, if a directory has both protected and public pages in it.

A valid user does not have to have a name, but I can see where you would expect it to be retrieved if you're using AD.

Author Comment

ID: 37723055
Hi mrcoffee365,

Under the web.xml, I put this: <url-pattern>/protected/*</url-pattern>

The files are are located in the file structure as follows:

I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one.
LVL 27

Expert Comment

ID: 37723351
You're right -- I misread the web.xml .  It's index.jsp that's under /protected.

The roles are fine.

What does this mean?:
"Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. "
Login doesn't do any autocorrect.  

In any case, I think what you want to do is more complex than the configuration you're working from.

You want Windows-authenticated users to be able to get through and be automatically logged in to your webapp.  All others get a different login.

I would develop those as 2 different things.  Leave out the AD work and just get the form authentication to work.  

Then do the AD login.

If all your users have AD logins, then you can set up the realm in server.xml for login to go to Active Directory, similarly to this:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"


See more discussion of this here: 

If all of your users do not have AD logins, then you have to have a more complex setup.  You could put a filter on Tomcat to read the user info, validate against AD, then automatically log the user in.  All other users would pass through to the normal Tomcat login.

Author Comment

ID: 37723647
Hi mrcoffee365,

I was referring to the assigning of roles to a user in the Active Directory Users and Computers console. I create a user named user01 and can assign him to a role of Admin, or Domain Admin, or User. I tried to match the text to the same as in the Web.xml like "admin" and "users" but under the AD, it will always display Administrator instead of "admin". I am not too sure whether it must be a match to pass through successfully.

Basically I have a domain XXX where users can log into Windows via their computers in the network. These are my internal users and require no additional logging in, something like SSO. There are also external users which connect from outside and require this log-in page.

Currently, I am able to perform the form authentication. With an account uid:pwd of user01:password01 on the AD, I enter incorrect password and it redirects me to error.jsp, I enter it correctly and it redirects me to index.jsp. The problem is when it goes to index.jsp, it informs me of an Error 403, that I am "able to connect to" the page but I am "not authorized to do so".

Yes, all my users have to be in the AD. I read most sites recommend the use of modifying the /conf/tomcat-users.xml but considering I am using Websphere, I am unsure where to go about this.
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 37723758

Regarding the role names then you are saying :
"I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one."

However your role names are : 'admin'  and 'users' (case sensitive)
So in your case if you logg in as a user with the role 'Administrator' (as seen from the AD) then you get a 403 error because the role is 'admin' not 'Administrator' as seen from WebSphere.

Hope this helps.

    Tomas Helgi
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.


Author Comment

ID: 37727417
Hi Tomas,

I will check out the case-sensitive <role-name> and see how it goes.

If that's good, I should be able to get onto the second issue.


Author Comment

ID: 37736637

I have tried to modify the web.xml to cater to the users' roles with case sensitivity involved. Unfortunately, it still leads me to the Error 403. No way to get it working. This means I have to get a working sample of another method instead.

I tried a sample code provided by, and utilized the "j_spring_security_check" which works as required. Unfortunately, it uses a user-table embedded within the code. I guess I will have to modify this sample code to access Active Directory via LDAP instead.

LVL 27

Assisted Solution

mrcoffee365 earned 100 total points
ID: 37737804
Yes -- as I pointed out in the previous post, you have to have everything configured to use LDAP.  You didn't post your configuration, but from your questions it sounded as if not all the pieces were correctly configured.  

Configuring LDAP through Tomcat is not for the faint of heart.  Try reading the link I posted above.
LVL 25

Accepted Solution

Tomas Helgi Johannsson earned 400 total points
ID: 37738025

Take a look at this Redbook on WebSphere 7 ( I'm guessing that you are using version 7)

There is a good chapter ( 4 as well as 7 and 8) on how to configure WebSphere against any LDAP server and securing Web/Enterprice apps.

Hope this helps.

    Tomas Helgi

Author Comment

ID: 37764063
In case anyone is wondering, I figured it out and the problems were easily solved with configurations.

1) Assigning roles of Admin and User in Web.xml, one must go into Websphere and under Enterprice Applications > project.war > Security role to user/group mapping, physically assign the roles to Mapped Users such as "All Authenticated in Application's Realm". This will enable the user to access the page and remove the 403 error.

2) Also with the Websphere configuration under SPNEGO Configurations, one must append to the list "|project" to enable it so that request. Thereafter, authenticated users in the domain will access the item straight away, while external users will be redirected to a login page. The request.getRemoteUser() now works.

3) One must also enable SPNEGO and check the box to "Allow fall back to the application authentication mechanism" which will allow for automatic login for internal users and for external users to be redirected to the login.jsp.

4) There is a Spring Security sample that works. The only problem is that it accesses a local Authentication-Provider in its ApplicationContextSecurity.xml instead of the Active Directory. To protect the channel, under <transport-guarantee>NONE</transport-guarantee>, the NONE should be replaced with CONFIDENTIAL.

Thank you.
LVL 27

Expert Comment

ID: 37764073
Great -- thanks very much for posting back how you solved the problem.

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now