Form-based authentication lets developers customize the authentication user interface. The login-config section of web.xml defines the type of authentication mechanism, and the URIs to login and error pages.
These instructions assume a security realm is already created and configured to LDAP active directory.
1. Create Group:
Go to Security Realms -> myrealm (already created realm) -> Users & Groups -> Groups. Create a new group AdminGroup. Select DefaultAuthenticator as provider.
2. Create User:
Go to Security Realms -> myrealm (already created realm) -> Users & Groups -> Users. Create a new user AdminUser. Select DefaultAuthenticator as provider.
3. Associate user with group
Click on the created user and under Groups tab, select the AdminGroup. This will associate the user with the group
4. Associate the user/group security model to the deployment.
Go to Deployments -> myDeployment -> Security. Create New scoped role.
Select the newly created scoped role and Add Conditions. Select group from Predicate List drop down and select the newly created AdminGroup.
Violaa.. you are almost done with the setup in console.
5. On your webapps, add the following into web.xml
<security-constraint> <display-name></display-name> <web-resource-collection> <web-resource-name>AdminGroup</web-resource-name> <description>Security Constraints for AdminGroup</description> <url-pattern>/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description>Security Constraints for AdminGroup</description> <role-name>AdminGroup</role-name> </auth-constraint> <user-data-constraint> <description>SSL not required</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>MyApplication</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login_error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>Administrators</description> <role-name>AdminGroup</role-name> </security-role>
6. Update weblogic.xml with the role assignment
<security-role-assignment> <role-name>AdminGroup</role-name> <externally-defined/> </security-role-assignment>
7. Create login.jsp
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
</form>
That’s it. That’s all there is for setting up the login.
To logout the user, form based authentication goes by regular HTTP session. So in your logout.jsp, calling session.invalidate(); will invalidate the session and logs the user out.