Search code examples
jakarta-eeweblogicwicketjava-ee-6weblogic12c

Java EE 6 form based authentification with wicket 7

I'm facing a very confusing fact: We've a war module within an Java EE application with context root "foo". Access is restricted via

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>fooRealm</realm-name>
    <form-login-config>
      <form-login-page>/login</form-login-page>
      <form-error-page>/loginerror</form-error-page>
    </form-login-config>
</login-config>

The protected resource is defined like this

<security-constraint>

    <web-resource-collection>
      <web-resource-name>Foo-App</web-resource-name>
      <url-pattern>/bar/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
      <role-name>foo-role</role-name>
    </auth-constraint>

    <user-data-constraint>
      <transport-guarantee>INTEGRAL</transport-guarantee>
    </user-data-constraint>

</security-constraint>

Login and Login-Error pages are mounted using Wicket 7:

mountPage("login", LoginWebPage.class);
mountPage("loginerror", LoginErrorWebPage.class);

What I do is navigate to https://localhost:7002/foo/bar and the application server (WebLogic 12.1.3) redirects to https://localhost:7002/foo/login (just like expected). Login-WebPage is a simple Web-Page with following html

<form method="POST" action="j_security_check">
    <input name="j_username" type="text" />
    <input name="j_password" type="password"/>
    <input type="submit" value="Login"></input>
</form>

The WebPage.java file in wicket is a simple webpage without any wicket widgets. The only thing here is that some css resources are included as PackageResourceReferences:

public class LoginWebPage extends WebPage {

    @Override
    public void renderHead(IHeaderResponse response) {
        response.render(CssHeaderItem.forReference(...));
    }
}

Now I'm facing the following problem: If I enter valid credentials on the LoginWebpage, then I'm getting redirected to the protected resource /foo/bar. Different behavior when I enter invalid credentials: Then the URL remains at /foo/j_security_check and the server responses with status code 404. If I navigate manually to /foo/loginerror then I see the login error page. I can't understand where the error is.

Can someone help?

Solution

  • Weblogic forwards to <form-error-page> (instead of redirecting), so the Wicket filter won't be able to handle /loginerror. The container isn't able to find /loginerror and responds with a 404 instead.

    I'm not sure whether this is conforming to standards, you'd have to try with other containers for comparison. For a workaround you could utilize a jsp:

    <form-error-page>/loginerror.jsp</form-error-page>

    ... that redirects to the actual Wicket page:

    <% response.sendRedirect("./loginerror"); %>