Package examples.webapp.security

This example demonstrates a simple Web Application that uses authentication to restrict access to a specific directory. This example also demonstrates how to deploy a Web Application in an expanded directory structure.

 

welcome.jsp Configured as the welcome file for the security Web Application.
admin/edit.jsp This page is configured in web.xml with a security constraint. Only users with the appropriate authentication can access the admin directory of the Security Web Application.
login.jsp Presents the form used to authenticate the user. This page is configured in web.xml to be presented whenever an unauthorized user attempts to access the admin/edit.jsp, which is protected by a security constraint.
logout.jsp Presented when the user logs out.
fail_login.html Error page configured in web.xml to be presented on a failed login in attempt.
WEB-INF/web.xml Web Application deployment descriptor. The descriptor configures access to the admin directory of the Security Web Application.

 

 

Configure the example

This example is shipped as an expanded Web Application directory (expanded .WAR format) at

$WL_HOME/samples/server/examples/src/examples/webapp/security

The following instructions deploy this directory as a Web Application and set the Users and Groups in the WebLogic Realm.

  1. Start the server with the examples configuration.

  2. Bring up the Administration Console

  3. Click thru:

    Deployments | Web Application Modules (right-click) | Deploy a new Web Application Module

  4. In the right pane of the console, use the Location links to select the top-level directory of this sample:

    $WL_HOME/samples/server/examples/src/examples/webapp

  5. Select the radio button for the security example shown below the Location links, and click the Target Module button.

  6. Accept the default values on the Review your choices and Deploy screen, and click the Deploy button to deploy the sample.

  7. Click thru:

    Security | Realms | myrealm | Groups

  8. This sample relies on a new group named "admin." To add "admin" as a group:

    1. Click on Configure a new Group...
    2. Enter admin in the Name field, and click Apply.

  9. This sample also relies on two sample usernames in the domain. User "Bill" will be a member of the admin group, and user "Ben" will not. To create the new users:

    1. Select the Users node in the left pane

    2. Click the Configure a new User... link in the right pane.

    3. Use the Create User window to enter the following users:

      Name Password
      Bill weblogic1
      Ben weblogic2

    4. After entering the user Bill, click on the Groups tab in the Create User window, move "admin" to the Current Groups column, and click Apply. You can do this immediately after you add Bill, or later by selecting the Users node in the left pane, selecting Bill, and then clicking the Groups tab to access the Groups window.

  10. Load the security Web Application into a browser using a URL such as:

    http://www.setgetweb.com:7001/security

    The Web Application has been configured to serve the welcome page "welcome.jsp when the root directory is requested. You can see this configured in the WEB-INF/web.xml file using the <welcome-file-list> element.

  11. When you first visit any page in this Web Application, you will not be logged in. If you click on the Configure background link, you will attempt to access the admin/edit.jsp page. Access to all pages under the /admin directory is configured in the web.xml deployment descriptor using the <security-constraint> element.

    This restricts access to these pages to anyone outside of the admin role, as defined in the WebLogic security realm.

    Because you are not logged in, you will be presented with the login page. This behavior is configured in the web.xml deployment descriptor with the <login-config> element.

    We configure the Web Application to use a FORM based login method. This is an alternative to BASIC authorization, where we can provide our own custom web page to prompt the user for login credentials using a simple html <form>. The login page is specified as login.jsp. This page must use a specific form, action, and field names, as defined by the Servlet 2.3 specification. You can copy this simple form to create your own pages, and customize them to the same look and feel as your web site.

    The element <realm-name> is omitted here, so the default realm is used. We added two users, Bill and Ben earlier.

  12. Click on the Configure background link to attempt to access the edit.jsp page. Enter username Ben with password weblogic2 and press submit. You are denied access since you do not have 'admin' privileges.

  13. Click on the 'logout' link. This action invokes the logout.jsp page, which invalidates the current session and effectively logs out the current user. On this page, you may revisit the Web Application, but you will need to log back in to gain access to any page.

    Log in again, this time, as Bill using the password weblogic1. Bill belongs to the admin group and should be able to access the Configure background page.