Failed Authentication Response - Weblogic

This is a discussion on Failed Authentication Response - Weblogic ; Hi all, I'm using wls 8.1 with a custom authentication provider. I am trying to figure out a way to control the response returned when a user fails authentication. I want the user redirected to different pages depending on the ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Failed Authentication Response

  1. Failed Authentication Response

    Hi all,

    I'm using wls 8.1 with a custom authentication provider. I am trying to figure out a way to control the response returned when a user fails authentication. I want the user redirected to different pages depending on the reason why authentication failed. Any ideas?

    Thanks,

    Kyle Gordon

  2. Re: Failed Authentication Response

    Hello,

    You can try declaring error pages for HTTP authentication error codes in your webapp web.xml (assuming you are using a web app)

    see

    http://e-docs.bea.com/wls/docs81/web...l.html#1017571

    and

    http://www.peachpit.com/articles/art...25445&seqNum=4

    cheers,
    Hoos

  3. Re: Failed Authentication Response

    Thanks for the response Hoos. I had come across that possibility before, and I like it except that weblogic returns both a 401 for failed authentication as well as for failed authorization. Unfortunately for me, I need to respond differently based on atn vs atz.

    Kyle

  4. Re: Failed Authentication Response

    Kyle,

    If you are using a custom authentication provider you may be able to throw a either a subclass of the LoginException or a LoginException with a message that will allow you to differentiate between authentication and authorization in your LoginModule Implentation.

    I have not tried this but lets say you subclass LoginException to create AuthenticationException and AuthorizationException then you can register different error pages for these exceptions rather than using the HTTP response code.

    Alternativley you can have one jsp that displays the message from the LoginException.

    I has a quick look at some sample custom security code and I think you may be able to get this working.

    see

    http://dev2dev.bea.com/codelibrary/c...ity_prov81.jsp

    Hope this helps.

    Cheers,
    Hoos

  5. Re: Failed Authentication Response

    Hoos,

    Let me first say thanks for all the time your putting into this topic. It is hard to find people with indepth knowledge of the wl security framework.

    However, there is another problem with the proposed solution. You're refering to the throws LoginException part of the login method of the LoginModule. The issue is that since the security framework makes the api call to the login module, it also catches the LoginException and just returns a 401 error code, the exception is always caught.

    Kyle

+ Reply to Thread