Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Integrating login security with JSP and Websphere

Posted on 2012-03-14
Medium Priority
Last Modified: 2012-08-14
Hi. As mentioned in the topic, I am designing a log-in that caters to both internal and external users by utilizing JSP. My applications are hosted on Websphere and my users are on an Active Directory. I will be relying on Form Authentication, "j_security_check", and "request.getRemoteUser()".

The basic idea is for people to access the application directly if they are internal users within the domain that have been authenticated. For external users, they will be directed to a log-in page and upon successful authentication, will be directed to the application. The application I currently have is just to display a "Hello, <user>".

A brief sequence would be:
- User to access /protected/index.jsp
- If not authenticated, to be directed back to /login.jsp
- Once authenticated, the index.jsp should display the User's ID

I am currently facing two problems. Below are the details.

My /WEB-INF/web.xml file as per the site here:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <description>Try login page</description>
    <display-name>Login Page</display-name>
		<realm-name>Example Login</realm-name>

Open in new window

I gathered my login.jsp would be something like the site here.

The index.jsp is as follows:
        Hello1, <% request.getRemoteUser(); %>
	Hello2, <% request.getUserPrincipal().getName(); %>

Open in new window

First Problem: Error 403
When I try to access index.jsp, I am automatically redirected to login.jsp.  Incorrect login will redirect me to error.jsp. Correct login will result in a "http://<url>/j_server_check" with a "Error 403 : This website requires you to log in."
This means that it is actually working to verify with my Active Directory, but some settings require to be changed. My user in AD is under Administrator as well as Domain Admin so I am baffled why an Error 403 will occur.
Furthermore, I was previously unable to access the snoop page but after successful login with Error 403, I am able to access the snoop page but it indicates BASIC authentication. I am confused at this point.

Second Problem: Blank Username
I tried adjusting the web.xml to allow all users by changing variations of the <url-pattern>, the <auth-constraint>, as well as the <security-role>. In all ways of accessing the index.jsp, it all results in a blank result. Logging into the system as an internal and accessing the index.jsp, I am greeted with a "Hello, null." for both request.getRemoteUser() and request.getUserPrincipal().getName() which is equally frustrating.

I feel like I am pretty close to the solution, which I feel is somewhere within the settings. However, I hope someone who has experienced this before can shed light on this issue.

Thank you.
Question by:pcssecure
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
LVL 27

Expert Comment

ID: 37723028
You can't make the login page protected -- people who are not logged in have to be able to get to it.  Typically you put all the pages which require login in a directory where you can put the url pattern and say the roles of users you allow.  You can also list urls explicitly, if a directory has both protected and public pages in it.

A valid user does not have to have a name, but I can see where you would expect it to be retrieved if you're using AD.

Author Comment

ID: 37723055
Hi mrcoffee365,

Under the web.xml, I put this: <url-pattern>/protected/*</url-pattern>

The files are are located in the file structure as follows:

I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one.
LVL 27

Expert Comment

ID: 37723351
You're right -- I misread the web.xml .  It's index.jsp that's under /protected.

The roles are fine.

What does this mean?:
"Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. "
Login doesn't do any autocorrect.  

In any case, I think what you want to do is more complex than the configuration you're working from.

You want Windows-authenticated users to be able to get through and be automatically logged in to your webapp.  All others get a different login.

I would develop those as 2 different things.  Leave out the AD work and just get the form authentication to work.  

Then do the AD login.

If all your users have AD logins, then you can set up the realm in server.xml for login to go to Active Directory, similarly to this:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"


See more discussion of this here:

If all of your users do not have AD logins, then you have to have a more complex setup.  You could put a filter on Tomcat to read the user info, validate against AD, then automatically log the user in.  All other users would pass through to the normal Tomcat login.
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.


Author Comment

ID: 37723647
Hi mrcoffee365,

I was referring to the assigning of roles to a user in the Active Directory Users and Computers console. I create a user named user01 and can assign him to a role of Admin, or Domain Admin, or User. I tried to match the text to the same as in the Web.xml like "admin" and "users" but under the AD, it will always display Administrator instead of "admin". I am not too sure whether it must be a match to pass through successfully.

Basically I have a domain XXX where users can log into Windows via their computers in the network. These are my internal users and require no additional logging in, something like SSO. There are also external users which connect from outside and require this log-in page.

Currently, I am able to perform the form authentication. With an account uid:pwd of user01:password01 on the AD, I enter incorrect password and it redirects me to error.jsp, I enter it correctly and it redirects me to index.jsp. The problem is when it goes to index.jsp, it informs me of an Error 403, that I am "able to connect to" the page but I am "not authorized to do so".

Yes, all my users have to be in the AD. I read most sites recommend the use of modifying the /conf/tomcat-users.xml but considering I am using Websphere, I am unsure where to go about this.
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 37723758

Regarding the role names then you are saying :
"I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one."

However your role names are : 'admin'  and 'users' (case sensitive)
So in your case if you logg in as a user with the role 'Administrator' (as seen from the AD) then you get a 403 error because the role is 'admin' not 'Administrator' as seen from WebSphere.

Hope this helps.

    Tomas Helgi

Author Comment

ID: 37727417
Hi Tomas,

I will check out the case-sensitive <role-name> and see how it goes.

If that's good, I should be able to get onto the second issue.


Author Comment

ID: 37736637

I have tried to modify the web.xml to cater to the users' roles with case sensitivity involved. Unfortunately, it still leads me to the Error 403. No way to get it working. This means I have to get a working sample of another method instead.

I tried a sample code provided by, and utilized the "j_spring_security_check" which works as required. Unfortunately, it uses a user-table embedded within the code. I guess I will have to modify this sample code to access Active Directory via LDAP instead.

LVL 27

Assisted Solution

mrcoffee365 earned 300 total points
ID: 37737804
Yes -- as I pointed out in the previous post, you have to have everything configured to use LDAP.  You didn't post your configuration, but from your questions it sounded as if not all the pieces were correctly configured.  

Configuring LDAP through Tomcat is not for the faint of heart.  Try reading the link I posted above.
LVL 25

Accepted Solution

Tomas Helgi Johannsson earned 1200 total points
ID: 37738025

Take a look at this Redbook on WebSphere 7 ( I'm guessing that you are using version 7)

There is a good chapter ( 4 as well as 7 and 8) on how to configure WebSphere against any LDAP server and securing Web/Enterprice apps.

Hope this helps.

    Tomas Helgi

Author Comment

ID: 37764063
In case anyone is wondering, I figured it out and the problems were easily solved with configurations.

1) Assigning roles of Admin and User in Web.xml, one must go into Websphere and under Enterprice Applications > project.war > Security role to user/group mapping, physically assign the roles to Mapped Users such as "All Authenticated in Application's Realm". This will enable the user to access the page and remove the 403 error.

2) Also with the Websphere configuration under SPNEGO Configurations, one must append to the list "|project" to enable it so that request. Thereafter, authenticated users in the domain will access the item straight away, while external users will be redirected to a login page. The request.getRemoteUser() now works.

3) One must also enable SPNEGO and check the box to "Allow fall back to the application authentication mechanism" which will allow for automatic login for internal users and for external users to be redirected to the login.jsp.

4) There is a Spring Security sample that works. The only problem is that it accesses a local Authentication-Provider in its ApplicationContextSecurity.xml instead of the Active Directory. To protect the channel, under <transport-guarantee>NONE</transport-guarantee>, the NONE should be replaced with CONFIDENTIAL.

Thank you.
LVL 27

Expert Comment

ID: 37764073
Great -- thanks very much for posting back how you solved the problem.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question