weblogic 9x 10x double prompt for login basic auth simple [Archive]

View Full Version : weblogic 9x 10x double prompt for login basic auth simple

user7931

Oct 3rd, 2007, 10:29 AM

weblogic 9x 10x double prompt for login basic auth simple:

i have very simple acegi usage scenario -just basic auth.

It works fine in tomcat 5x.

but in weblogic 9x, 10x,
the scenario is quite weired:

1) weblogic prompts for ProtectedArea realm and no matter what crediatials you put there

2) weblogic prompts for Administrator credentials of weblogic itself (I have deployed application as DD = deployment descriptor based security). though if I deploy the same application without acegi beans/listeners weblogic apparently doesnt prompt for anything.

3) again prompts for ProtectedArea

so I need to 3get rid of (1) and (2) steps somehow, plz help !! I saw that someone faced similar problem.

I have configured the minimalistic auth.xml as below:

---------------------

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans>




<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,basicProces singFilter,exceptionTranslationFilter,filterSecuri tyInterceptor
</value>
</property>
</bean>

<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegr ationFilter"/>


<bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilt er">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationEntryPoint" ref="basicProcessingFilterEntryPoint"/>
</bean>


<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="basicProcessingFilterEntryPoint" />
</bean>


<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInte rceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=ROLE_XXX
</value>
</property>
</bean>

<bean id="accessDecisionManager" class="org.acegisecurity.vote.UnanimousBased">
<property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property>
</bean>

<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
<property name="rolePrefix">
<value>ROLE_</value>
</property>
</bean>



<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
</list>
</property>
</bean>

<bean id="daoAuthenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationP rovider">
<property name="userDetailsService" ref="inMemoryDaoImpl"/>
</bean>

<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoIm pl">
<property name="userMap">
<value>
user_val=pas_val,ROLE_XXX
</value>
</property>
</bean>

<bean id="basicProcessingFilterEntryPoint"
class="org.acegisecurity.ui.basicauth.BasicProcessingFilt erEntryPoint">
<property name="realmName" value="ProtectedArea"/>
</bean>

</beans>
-------------------------------

user7931

Oct 3rd, 2007, 10:38 AM

plz help ... we are kinda STUCK we need to go to production shortly and i've tried everything :(

worldheart

Oct 12th, 2007, 10:01 PM

By the way, Why you use HTTP BASIC Authentication?

user7931

Oct 13th, 2007, 02:38 AM

cause this is part of non-functional requirements... needed for the simple authentication .. what else can i say

worldheart

Oct 13th, 2007, 03:29 AM

Can you use HTTP Digest Authenticaton?

cause this is part of non-functional requirements... needed for the simple authentication .. what else can i say

user7931

Oct 13th, 2007, 03:55 AM

of course I could improvise doing this and that - thank you for suggestion!!!, but we are using basic auth and this is it. it should work transparently on all the application servers

normanb

Jan 28th, 2008, 07:30 PM

did you ever solve the double authentication problem with weblogic 10.x?

It seems nasty, basically you have to make sure that your 'acegi' user matches a user in the weblogic realm.

I would be interested in any solution to this, and perhaps it could be added to the FAQ, since searching the mailing list seems to bring up a lot of people asking the same question.

Many thanks,

Norman

user7931

Jan 29th, 2008, 03:47 AM

Torok

Feb 29th, 2008, 08:16 PM

We resolved this problem by adding this block after the <resource-env-ref> section in the web.xml file:

<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>

Still looking for a better solution though.

Luke Taylor

Mar 1st, 2008, 07:59 AM

No we DID NOT SOLVE IT !!!

I have a feeling that this is cheaper to be stick with a commercial solution. Open source doesnt seem to support you well. Especially in this case. I was hoping for a response - and got nothing in 3 months ... Of course if we had a commercial alternative to this it would have been nicer... so after all we are quite disappointed. after all solution was to disable BASIC auth .. since stuff is running in a VPN ... and it was not so critical to have it disabled.

This forum does not provide guaranteed support on tap. It is here for the community to exchange ideas and help each other if they can. If someone posts a question clearly describing their problem (and it isn't something that they could easily find by searching the forum, google etc) then usually someone will post a reply if they know the answer. People also generally have other things to keep them busy though.

It seems you are effectively saying that you expect both free software and free support from the open source community. I have seen a few threads on here, and issues in Jira, where people are essentially complaining about problems with commercial servers and demanding to know why things don't work with particular server version numbers etc. Leaving aside the issue of people giving up their time freely and having other things to do, it isn't easy to provide support for a commercial product when you don't have a copy of it yourself. And issues with the platform which are only detected as you're going to production imply there is something wrong with your development process.

As you say yourself, everything worked OK on tomcat. There are plenty of organizations providing support in open source these days, so the comparison you draw really isn't valid - you can pay for support on open source products.

Torok

Mar 1st, 2008, 11:14 AM

Good points Luke. User7931 was likely just frustrated, and I'm sure we've all been there. However, the solution I provided worked for my company, despite the fact that it doesn't make any sense ;) It was actually nice to see that someone else was having the same problem, though I do wonder whether the solution works for him as well. If I find any more information I'll post it here in the hopes that it helps someone, because this must be affecting others as well. Furthermore, I don't think it's a problem with Acegi at this point; it seems like it might be a Weblogic issue.

ghazouli

Feb 1st, 2009, 10:43 AM

I was having the same problem on Weblogic 10.3. I tried your workaround and it worked perfectly. I have been trying for a while to figure this out with no luck. I'm lucky I ran across this post.

Can anyone explain what these additional lines in the web.xml do or point to documentation on these directives?

Thanks,
Hisham

andreasimner

Feb 25th, 2009, 02:15 PM

Here is a solution that I found to stop Weblogic from interfering with my Spring Security solition.
http://hovenko.no/blog/2008/10/28/howto-bypass-weblogic-security-model/