Weblogic setting to avoid direct URL access

Discussions

EJB programming & troubleshooting: Weblogic setting to avoid direct URL access

  1. Weblogic setting to avoid direct URL access (3 messages)

    Hi
    I am using Weblogic as web resource container as well as application server. I want to disallow the application users to directly access the JSPs by typing the URLs to JSP.
    I know that this can be done by setting session variables or cookies but is there any way to achieve this without changing the code.
    My entry point is 'login.jsp'. Every user should enter valid 'username and password', to enter the application.
    Thanks in advance
  2. Hi! Shikar:

    Yes, you can do this if you are using a webapp (J2EE). Let's say for e.g. your webapp name is abc.
    There are tags in the web.xml file which exists in the deploy directory of your webapp (the deploy directory is defined using the weblogic.httpd.webApp.abc=c:/myproj/deploy/webapps/abc property in the weblogic.properties file), which can be configured to provide security constraints. In this e.g. the deploy area is c:/myproj/deploy/webapps/abc thus the web.xml file will be located in c:/myproj/deploy/webapps/abc/WEB-INF directory.

    An excerpt of the web.xml file which specifies the access restrictions is

        <security-constraint>
            <web-resource-collection>
                <web-resource-name>ABCPages</web-resource-name>
                <description></description>
                <url-pattern>*.jsp</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                <description>roles who have access</description>
                <role-name>everyone</role-name>
            </auth-constraint>
            <user-data-constraint>
                <description>User data must be transmitted in this manner</description>
                <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
        </security-constraint>

        <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/login.jsp</form-login-page>
                <form-error-page>/login_err.jsp</form-error-page>
            </form-login-config>
        </login-config>

    Cut and paste these lines into your web.xml file and also comment/delete the existing block with <login-config> .. </login_config> from your web.xml file. This will redirect any request to your jsp pages to the login page if the user does not have a valid active session for this webapp.

    Hope this helps.

    Pradeep Nair.




  3. Apart from the foll. in the web.xml file what else do I need to do Form Based Authentication using Weblogic.

        <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/login.jsp</form-login-page>
                <form-error-page>/login_err.jsp</form-error-page>
            </form-login-config>
        </login-config>


    Thanx.
  4. hi,

    i have to block js using direct url access. please tell me what are the change i have to made in above code.

    Thanks,

    Avishek