Securing Web Applications 3-11 The enforce-valid-basic-auth-credentials flag is true by default, and WebLogic Server authentication is performed. If authentication fails, the request is rejected. WebLogic Server must therefore have knowledge of the user and password. You may want to change the default behavior if you rely on an alternate authentication mechanism. For example, you might use a backend web service to authenticate the client, and WebLogic Server does not need to know about the user. With the default authentication enforcement enabled, the web service can do its own authentication, but only if WebLogic Server authentication first succeeds. If you explicitly set the enforce-valid-basic-auth-credentials flag to false, WebLogic Server does not perform authentication for HTTP BASIC authentication client requests for which access control was not enabled for the target resource. In the previous example of a backend web service that authenticates the client, the web service can then perform its own authentication without WebLogic Server having knowledge of the user.

3.3.2.1 Setting the enforce-valid-basic-auth-credentials Flag

To set the enforce-valid-basic-auth-credentials flag, perform the following steps:

1. Add the enforce-valid-basic-auth-credentials element to

config.xml within the security-configuration element. : enforce-valid-basic-auth-credentialsfalseenforce-valid-basic-auth-credentia ls security-configuration

2. Start or restart all of the servers in the domain.

3.3.2.2 Using WLST to Check the Value of enforce-valid-basic-auth-credentials

The Administration Console does not display or log the enforce-valid-basic-auth-credentials setting. However, you can use WLST to check the value in a running server. Remember that enforce-valid-basic-auth-credentials is a domain-wide setting. The WLST session shown in Example 3–5 demonstrates how to check the value of the enforce-valid-basic-auth-credentials flag in a sample running server. Example 3–5 Checking the Value of enforce-valid-basic-auth-credentials wls:offline connectweblogic,weblogic,t3:localhost:7001 Connecting to t3:localhost:7001 with userid weblogic ... Successfully connected to Admin Server examplesServer that belongs to domain wl_server. wls:wl_serverserverConfig cdSecurityConfiguration wls:wl_serverserverConfigSecurityConfiguration ls dr-- wl_server wls:wl_serverserverConfigSecurityConfiguration cdwl_server wls:wl_serverserverConfigSecurityConfigurationwl_server ls dr-- DefaultRealm Note: The Security Configuration MBean provides domain-wide security configuration information. The enforce-valid-basic-auth-credentials flag effects the entire domain. 3-12 Programming Security for Oracle WebLogic Server dr-- Realms -r-- AnonymousAdminLookupEnabled false -r-- CompatibilityConnectionFiltersEnabled false -r-- ConnectionFilter null -r-- ConnectionFilterRules null -r-- ConnectionLoggerEnabled false -r-- ConsoleFullDelegationEnabled false -r-- Credential -r-- CredentialEncrypted -r-- CrossDomainSecurityEnabled false -r-- DowngradeUntrustedPrincipals false -r-- EnforceStrictURLPattern true -r-- EnforceValidBasicAuthCredentials false : :

3.3.3 Developing FORM Authentication Web Applications

When using FORM authentication with Web applications, you provide a custom login screen that the Web browser displays in response to a Web application resource request and an error screen that displays if the login fails. The login screen can be generated using an HTML page, JSP, or servlet. The benefit of form-based login is that you have complete control over these screens so that you can design them to meet the requirements of your application or enterprise policyguideline. The login screen prompts the user for a user name and password. Figure 3–4 shows a typical login screen generated using a JSP and Example 3–6 shows the source code. Figure 3–4 Form-Based Login Screen login.jsp Example 3–6 Form-Based Login Screen Source Code login.jsp html head titleSecurity WebApp login pagetitle head body bgcolor=cccccc blockquote img src=Button_Final_web.gif align=right h2Please enter your user name and password:h2 p form method=POST action=j_security_check