Integrating login security with JSP and Websphere

Posted on 2012-03-14
Last Modified: 2012-08-14
Hi. As mentioned in the topic, I am designing a log-in that caters to both internal and external users by utilizing JSP. My applications are hosted on Websphere and my users are on an Active Directory. I will be relying on Form Authentication, "j_security_check", and "request.getRemoteUser()".

The basic idea is for people to access the application directly if they are internal users within the domain that have been authenticated. For external users, they will be directed to a log-in page and upon successful authentication, will be directed to the application. The application I currently have is just to display a "Hello, <user>".

A brief sequence would be:
- User to access /protected/index.jsp
- If not authenticated, to be directed back to /login.jsp
- Once authenticated, the index.jsp should display the User's ID

I am currently facing two problems. Below are the details.

My /WEB-INF/web.xml file as per the site here:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
<web-app version="2.5" xmlns="" xmlns:xsi="" xsi:schemaLocation="">
    <description>Try login page</description>
    <display-name>Login Page</display-name>
		<realm-name>Example Login</realm-name>

Open in new window

I gathered my login.jsp would be something like the site here.

The index.jsp is as follows:
        Hello1, <% request.getRemoteUser(); %>
	Hello2, <% request.getUserPrincipal().getName(); %>

Open in new window

First Problem: Error 403
When I try to access index.jsp, I am automatically redirected to login.jsp.  Incorrect login will redirect me to error.jsp. Correct login will result in a "http://<url>/j_server_check" with a "Error 403 : This website requires you to log in."
This means that it is actually working to verify with my Active Directory, but some settings require to be changed. My user in AD is under Administrator as well as Domain Admin so I am baffled why an Error 403 will occur.
Furthermore, I was previously unable to access the snoop page but after successful login with Error 403, I am able to access the snoop page but it indicates BASIC authentication. I am confused at this point.

Second Problem: Blank Username
I tried adjusting the web.xml to allow all users by changing variations of the <url-pattern>, the <auth-constraint>, as well as the <security-role>. In all ways of accessing the index.jsp, it all results in a blank result. Logging into the system as an internal and accessing the index.jsp, I am greeted with a "Hello, null." for both request.getRemoteUser() and request.getUserPrincipal().getName() which is equally frustrating.

I feel like I am pretty close to the solution, which I feel is somewhere within the settings. However, I hope someone who has experienced this before can shed light on this issue.

Thank you.
Question by:pcssecure
  • 5
  • 4
  • 2
LVL 27

Expert Comment

ID: 37723028
You can't make the login page protected -- people who are not logged in have to be able to get to it.  Typically you put all the pages which require login in a directory where you can put the url pattern and say the roles of users you allow.  You can also list urls explicitly, if a directory has both protected and public pages in it.

A valid user does not have to have a name, but I can see where you would expect it to be retrieved if you're using AD.

Author Comment

ID: 37723055
Hi mrcoffee365,

Under the web.xml, I put this: <url-pattern>/protected/*</url-pattern>

The files are are located in the file structure as follows:

I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one.
LVL 27

Expert Comment

ID: 37723351
You're right -- I misread the web.xml .  It's index.jsp that's under /protected.

The roles are fine.

What does this mean?:
"Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. "
Login doesn't do any autocorrect.  

In any case, I think what you want to do is more complex than the configuration you're working from.

You want Windows-authenticated users to be able to get through and be automatically logged in to your webapp.  All others get a different login.

I would develop those as 2 different things.  Leave out the AD work and just get the form authentication to work.  

Then do the AD login.

If all your users have AD logins, then you can set up the realm in server.xml for login to go to Active Directory, similarly to this:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"


See more discussion of this here: 

If all of your users do not have AD logins, then you have to have a more complex setup.  You could put a filter on Tomcat to read the user info, validate against AD, then automatically log the user in.  All other users would pass through to the normal Tomcat login.
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.


Author Comment

ID: 37723647
Hi mrcoffee365,

I was referring to the assigning of roles to a user in the Active Directory Users and Computers console. I create a user named user01 and can assign him to a role of Admin, or Domain Admin, or User. I tried to match the text to the same as in the Web.xml like "admin" and "users" but under the AD, it will always display Administrator instead of "admin". I am not too sure whether it must be a match to pass through successfully.

Basically I have a domain XXX where users can log into Windows via their computers in the network. These are my internal users and require no additional logging in, something like SSO. There are also external users which connect from outside and require this log-in page.

Currently, I am able to perform the form authentication. With an account uid:pwd of user01:password01 on the AD, I enter incorrect password and it redirects me to error.jsp, I enter it correctly and it redirects me to index.jsp. The problem is when it goes to index.jsp, it informs me of an Error 403, that I am "able to connect to" the page but I am "not authorized to do so".

Yes, all my users have to be in the AD. I read most sites recommend the use of modifying the /conf/tomcat-users.xml but considering I am using Websphere, I am unsure where to go about this.
LVL 25

Expert Comment

by:Tomas Helgi Johannsson
ID: 37723758

Regarding the role names then you are saying :
"I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one."

However your role names are : 'admin'  and 'users' (case sensitive)
So in your case if you logg in as a user with the role 'Administrator' (as seen from the AD) then you get a 403 error because the role is 'admin' not 'Administrator' as seen from WebSphere.

Hope this helps.

    Tomas Helgi

Author Comment

ID: 37727417
Hi Tomas,

I will check out the case-sensitive <role-name> and see how it goes.

If that's good, I should be able to get onto the second issue.


Author Comment

ID: 37736637

I have tried to modify the web.xml to cater to the users' roles with case sensitivity involved. Unfortunately, it still leads me to the Error 403. No way to get it working. This means I have to get a working sample of another method instead.

I tried a sample code provided by, and utilized the "j_spring_security_check" which works as required. Unfortunately, it uses a user-table embedded within the code. I guess I will have to modify this sample code to access Active Directory via LDAP instead.

LVL 27

Assisted Solution

mrcoffee365 earned 100 total points
ID: 37737804
Yes -- as I pointed out in the previous post, you have to have everything configured to use LDAP.  You didn't post your configuration, but from your questions it sounded as if not all the pieces were correctly configured.  

Configuring LDAP through Tomcat is not for the faint of heart.  Try reading the link I posted above.
LVL 25

Accepted Solution

Tomas Helgi Johannsson earned 400 total points
ID: 37738025

Take a look at this Redbook on WebSphere 7 ( I'm guessing that you are using version 7)

There is a good chapter ( 4 as well as 7 and 8) on how to configure WebSphere against any LDAP server and securing Web/Enterprice apps.

Hope this helps.

    Tomas Helgi

Author Comment

ID: 37764063
In case anyone is wondering, I figured it out and the problems were easily solved with configurations.

1) Assigning roles of Admin and User in Web.xml, one must go into Websphere and under Enterprice Applications > project.war > Security role to user/group mapping, physically assign the roles to Mapped Users such as "All Authenticated in Application's Realm". This will enable the user to access the page and remove the 403 error.

2) Also with the Websphere configuration under SPNEGO Configurations, one must append to the list "|project" to enable it so that request. Thereafter, authenticated users in the domain will access the item straight away, while external users will be redirected to a login page. The request.getRemoteUser() now works.

3) One must also enable SPNEGO and check the box to "Allow fall back to the application authentication mechanism" which will allow for automatic login for internal users and for external users to be redirected to the login.jsp.

4) There is a Spring Security sample that works. The only problem is that it accesses a local Authentication-Provider in its ApplicationContextSecurity.xml instead of the Active Directory. To protect the channel, under <transport-guarantee>NONE</transport-guarantee>, the NONE should be replaced with CONFIDENTIAL.

Thank you.
LVL 27

Expert Comment

ID: 37764073
Great -- thanks very much for posting back how you solved the problem.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question