WebLogic Portal provides many different ways to implement user login and authentication against any available authentication providers. The following sections provide nine authentication samples to help you better understand the choices you have in implementing authentication. These sections are taken directly from the samples in the Tutorial Portal.
Note: This topic describes how to implement authentication after authentication providers have been configured for use with WebLogic Server. For information on setting up authentication providers, see Using Multiple Authentication Providers In Portal Development.
In these samples, the portal Web project root is <WEBLOGIC_HOME>/samples/portal/portalApp/tutorial. Paths in the samples are relative to this root. All resources and configuration for these samples is included in the tutorial portal Web project which uses the <WEBLOGIC_HOME>/samples/domains/portal/config.xml server (called portalServer). To use these samples in your own domains and portal Web projects, import or mimic the files and configurations used in the samples.
This topic includes the following samples:
Source Location: /portlets/login/formLogin/
The example /WEB-INF/web.xml specifies a CONFIDENTIAL transport-guarantee so the /portlets/login/formLogin/login_link.jsp must build a HTTPS URL to access the redirect.jsp. The redirect.jsp simply redirects back to the portal. This example leaves the protocol in HTTPS, but you could switch back to HTTP in redirect.jsp if you only wanted HTTPS to protect your username/password during login.
Note: The <form-login-page>
URLs specified in web.xml will be different
based on whether you are running the portal from a .portal
file in WebLogic Workshop or assembled from the database when you create a
desktop in the WebLogic Administration Portal. For example, when running a
file based portal such as sample.portal (in
development) the <form-login-page> element
might be specified with
/samplel.portal?_nfpb=true&_pageLabel=login.
When running an assembled portal (in production) the <form-login-page>
element might be specified with /appmanager/samplePortal/sampleDesktop?_nfpb=true&_pageLabel=login.
Source Location: /portlets/login/clientCert/
These are the steps for using client certificate authorization:
Note: democlient-cert.p12 was created for demonstration purposes and is not meant for production use. If you choose to generate your own certificate using openssl, they have instructions at their Web site at www.openssl.org.
The following steps are for configuring WebLogic Server to use SSL and the democlient-cert correctly.
Because the form-based login example uses SSL, the one-way SSL was already configured for the server. If you need to enable client-certificate authentication for any server, it is a prerequisite to configure one-way SSL (see "Configuring SSL" in "Managing WebLogic Security" at http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/ssl.html).
After you take these steps, you can access the portal and /portlets/login/formLogin/login_link.jsp to use your client certificate to get logged in to the portal Web application. See the form-based login example for an explanation of the use of the login link to access a protected resource.
Source Location: /portlets/login/backingFileLogin/
This example uses portal personalization code and a backing file to log in (/WEB-INF/src/portlet/login/LoginBacking.java). The backing file also redirects back to the portal so that database state is not clobbered by control state.
Source Location: /portlets/login/pageflowLogin/
This example uses Java Page Flow to show how a multi-page user registration portlet can be accomplished. This example has 4 pages:
Source Location: /portlets/login/ssoLogin/
This is an example of single sign-on between two Web applications. For single sign-on to work, both Web applications must have matching cookie name entries in web.xml. Since by default WebLogic sets the cookie names to be identical if unspecified for a Web application, this behavior should work by default.
Source Location: /portlets/login/autologin/
Note: This example uses cookies, which is an insecure authentication method.
This example shows how to use cookies and encoding for autologin. When you login and select the "autologin" checkbox, it will encode your username and password. The username and password will be added as a cookie to the response for a life of 1 day. After this point, if you leave the portal and come back, you will be logged in automatically, including when you exit the browser. If you log out, the cookies will be deleted and you will no longer be automatically logged in when you revisit the portal.
This example uses a backing file (/WEB-INF/src/portlet/login/AutoLoginBacking.java).
Source Location: /portlets/login/basicLogin/
This example uses the same principles as the form-based login. To use basic authentication, simply uncomment the FORM or CLIENT-CERT based authentication methods in web.xml, and use the basic method of authentication. You can use one of the default users in the realm such as visitor1/password to log in.
Source Location: /portlets/login/loginRequiredPortal/
This example shows a portal that is only accessible after user authentication. To enable this, simply add a security constraint entry in web.xml for all URL resources. For Example:
<security-constraint> <web-resource-collection> <web-resource-name>login</web-resource-name> <description>Security constraint for the whole portal</description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <description>all users</description> <role-name>AnonymousRole</role-name> </auth-constraint> </security-constraint>
Source Location: /portlets/login/perimeterLogin/
See the following WebLogic Server documentation topics: