Applies To:Show Versions
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Creating Login Pages for Secure Application Access
About creating login pages
Your web application may contain URLs that should be accessed only through other URLs. For example, in an online banking application, account holders should be able to access their account information only by logging on through a login screen first. In your security policy, you can create login URLs to limit access to authenticated URLs.
A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions.
Authenticated URLs are URLs that become accessible to users only after they successfully log in to the login URL. A logout URL is a URL that, if accessed, forces users to return to the login URL before re-accessing authenticated URLs. System administrators use these special URLs to prevent forceful browsing by causing users to pass through the login URL before viewing the restricted authenticated URLs.
Creating login pages
On the Main tab, click
.The Login Pages List screen opens.
- In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
The New Login Page screen opens.
For the Login URL setting, specify a URL that users must pass through to get to the application.
- From the list, select the type of URL: Explicit or Wildcard.
- Select either HTTP or HTTPS based on the type of traffic the web application accepts.
Type an explicit URL or wildcard expression in the field.
When you click in the field, the system lists URLs that it has seen, and you can select a URL from the list. Or, you can type explicit URLs in the format /login, and wildcard URLs without the slash, such as *.php.
From the Authentication Type list, select the method the web server
uses to authenticate the login URL's credentials with a web user.
Option Description None The web server does not authenticate users trying to access the web application through the login URL. This is the default setting. HTML Form The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form. HTTP Basic Authentication The user name and password are transmitted in Base64 and stored on the server in plain text. HTTP Digest Authentication The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text. NTLM Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
In the Access Validation area, define at least one validation criteria for the login
If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.Note: The system checks the access validation criteria on the response of the login URL only if the response has one of the following content-types: text/html, text/xml, application/sgml, application/xml, application/html, application/xhtml, application/x-asp, and application/x-aspx.
Click Create to add the login page to the security policy.
The new login page is added to the login pages list.
- Add as many login pages as needed for your web application.
- In the editing context area, click Apply Policy to put the changes into effect.
Login page access validation criteria
Following are descriptions of the access validation criteria for the response to the login URL. You configure one or more of these validations when defining a login page.
|Define in login page as
|A string that should appear in the response
|A string that must appear in the response for the system to allow the user to access the authenticated URL; for example, Successful Login.
|A string that should NOT appear in the response
|A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, Authentication failed.
|Expected HTTP response status code
|An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, 200.
|Expected validation header name and value (for example, Location header)
|A header name and value that the response to the login URL must match to permit user access to the authenticated URL.
|Expected validation domain cookie name
|A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL.
|Expected parameter name (added to URI links in the response)
|A parameter that must exist in the login URL’s HTML body to allow access to the authenticated URL.
Enforcing login pages
On the Main tab, click
.The Login Enforcement screen opens.
- If you want the login URL to be valid for a limited time, set Expiration Time to Enabled, and type a value, in seconds.
For the Authenticated URLs setting, specify the target URLs that
users can access only by way of the login URL:
- In the Authenticated URLs field, type the target URL name in the format /private.php (wildcards are allowed).
- Click Add to add the URL to the list of authenticated URLs.
- Repeat to add as many authenticated URLs as needed.
Optionally, use the Logout URLs setting to specify the URLs used
to log out of the web application:
- In the Logout URLs field, type the URL in the format /logout.html (explicit URLs only).
- Click Add.
- Repeat to add as many logout URLs as needed.
- Click Save to save your settings.
- To put the security policy changes into effect immediately, click Apply Policy.