We are transitioning an existing Flex (4.6) application to use two-way SSL protocol communication.
We are using Weblogic 12.0 c and accessing it through Internet Explorer 8 (IE8).
The site is accessed through an https:// URL reference.
All of the SSL certificates appear to have been created and configured (imported) correctly for both client and server.
[This assumption may be in error, but does not seem to be the case]
Both the client and server machines are on the same LAN (Intranet)
Immediately after a successful login we see a pop-up dialog requesting user credentials.
IE8: Title: Windows Security
Message: The server XXXX at YYYY requires a user name and password:
Firefox delivers a similar window titled: "Authentication Required"
This behavior is often intermittent and it does not appear to care what values are entered into the dialog.
I have found a way to bypass this behavior in IE8 by adding the server to the list of trusted sites (by https:// URL).
A similar (workaround) solution exists for Firefox (through about:config and adding the URL to the "network.automatic-ntlm-auth.trusted-uris" values).
However, this is not considered as an acceptable solution. A preferred solution needs to exist within the configuration of the weblogic server or the server application.
Is there a way to configure the Weblogic SSL mechanisms so that the second request is not sent? More importantly, the additional login pop-up is not displayed?
I am working on gathering an accrurate SSL debug trace to further illustrate the issue.
Thank you for any help that can be provided.
I think the second pop-up is coming because of http:401 code in the header. On receiving a 401, the browsers default behavior is the basic auth pop-up.
Have you tried to check the headers? Possible way forward here would be check whether this is only observed with SSL enabled and if that is the case, try to enable ssl level debugging on the server and check whether the certificate and keystores are configured as per the requirement. But if this is irrespective of SSL, then may be we should check authentication on WLS end.
First, thanks for looking at my question.
Second, what utilities do I need in order to view the incoming messages (to the IE browser) from our Weblogic 12.c server?
Third, the message exchange appears to be part of the "standard"? negotiation of an SSL connection (with 1-way certificate authentication).
What causes Weblogic to place that code into its message header?
What can be done to prevent the Weblogic server from placing the 401 code into its message?
We have gone through the process of obtaining a signed certificate and importing it and the trust certs into the proper key stores. Would an error or omission in any of these steps cause this issue?
can you paste your web.xml here? i am interested in seeing your auth method.
you can enable debugHttp to see the request headers on WLS.
you can use fiddler to capture http headers... can u also paste your config.xml?