WAS 5.1 Authentication

Discussion:

(too old to reply)

S***@otpp.com

2006-03-20 21:30:50 UTC

Hello all,

Here is my problem: I have an application that uses form based authentication to protect all of its jsp pages.

The initial user log-on goes as planned and works fine.

After a session time-out, a user gets kicked back out into the logon page configured for the form based authentication. All is well up to this point. After re-logging in, the user is supposed to go to his/her requested page, however in the server logs, I see this error:

WebCollaborat A SECJ0056E: Authentication failed for reason <null>

and the user is now redirected to the error page without hitting the intended page. If the user now types in the URL to go into the secure area of the site, it works fine and no error shows up. I'm having this weird behaviour show up in both IE and firefox.

The authentication is done via an LDAP user registry (configured in Active Directory). It is weird how the initial log-in goes without a hitch but the log-in after a time-out does not go as planned.

I would appreciate any input and direction as to how to resolve this issue.

Thank you in advance!

Regards,
Steve

Paul Ilechko

2006-03-20 23:06:27 UTC

Permalink

Post by S***@otpp.com
Hello all,
Here is my problem: I have an application that uses form based
authentication to protect all of its jsp pages.
The initial user log-on goes as planned and works fine.
After a session time-out, a user gets kicked back out into the logon
page configured for the form based authentication.

Do you have global security enabled? If so, are you using LTPA or SWAM?

If you are using WAS security with LTPA, there is no relation between
authentication and the session timeout. Even if the session expires, if
there is still an LTPA cookie at the browser then the user is still
logged on. You should just let the user continue working, and if the
LTPA token actually has expired, then WAS will force a new login.

Remember, LTPA provides SSO across multiple WAS applications, each of
which may have their own session with its own timeout. Just because one
application times out doesn't mean that the user should be forced to log
in again. Think about how ugly that could get ...

S***@otpp.com

2006-03-21 18:38:10 UTC

Permalink

Post by S***@otpp.com

Post by S***@otpp.com
Hello all,
Here is my problem: I have an application that

uses form based

Post by S***@otpp.com
authentication to protect all of its jsp pages.
The initial user log-on goes as planned and works

fine.

Post by S***@otpp.com
After a session time-out, a user gets kicked back

out into the logon

Post by S***@otpp.com
page configured for the form based authentication.

Do you have global security enabled? If so, are you
using LTPA or SWAM?
If you are using WAS security with LTPA, there is no
relation between
authentication and the session timeout. Even if the
session expires, if
there is still an LTPA cookie at the browser then the
user is still
logged on. You should just let the user continue
working, and if the
LTPA token actually has expired, then WAS will force
a new login.
Remember, LTPA provides SSO across multiple WAS
applications, each of
which may have their own session with its own
timeout. Just because one
application times out doesn't mean that the user
should be forced to log
in again. Think about how ugly that could get ...

Hello,

Thank you for the response! Global security is enabled and I am using SWAM, not LTPA.

The user should only be authorized for that one WAS application as they do not, or should reauthenticate when they access other applications on that server. From my understanding, LTPA will allow SSO over all the applications, which is undesirable in my situation.

Would SWAM be a potential problem in my case?

Thanks in advance!

Paul Ilechko

2006-03-21 20:22:16 UTC

Permalink

Post by S***@otpp.com
Hello,
Thank you for the response! Global security is enabled and I am using SWAM, not LTPA.
The user should only be authorized for that one WAS application as
they do not, or should reauthenticate when they access other
applications on that server. From my understanding, LTPA will allow
SSO over all the applications, which is undesirable in my situation.

OK, but you seem to be confusing authorization and authentication, which
are two different concepts. Authentication is proving that the user is
who they claim to be. Re-authentication is an annoyance to the user and
adds nothing from a security perspective, unless you are using a
different authentication technique, such as requiring a certificate.

Authorization is about defining what rights people have to use the
various systems or functions within systems. You can certainly have a
user only login once, but protect different applications in different
ways based on roles.

Post by S***@otpp.com
Would SWAM be a potential problem in my case?
Thanks in advance!

Hard to say, but SWAM is not generally recommended for production usage,
as it is less secure than LTPA. Also, SWAM does not provide a
forwardable token, so you can't make a remote EJB call with the identity
from the web container.

SWAM does use the HTTP session for tracking the user, so it makes sense
that they would be forced to login again when the session expires. I
don't really understand why you are getting that error, though.