I have deployed a Java application on a WebLogic 12C server. It uses security descriptors in web.xml and weblogic.xml for JSecurity authentication and authorization. That part works fine.
web.xml:
<security-constraint>
<display-name>Security Constraint for User</display-name>
<web-resource-collection>
<web-resource-name>Protected resources</web-resource-name>
<description>Protection for internal pages</description>
<url-pattern>/home/*</url-pattern>
<url-pattern>/Summary/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>MyAppUser</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint for Administrators</display-name>
<web-resource-collection>
<web-resource-name>Pages protected for administrators</web-resource-name>
<url-pattern>/Profile/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>MyAppAdmin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login/</form-login-page>
<form-error-page>/LoginError/</form-error-page>
</form-login-config>
</login-config>
Now I am attempting to add code to have a JSP where a logged in user types old and new passwords to have it changed. I found one reference but can't find it again. All searches point to resetting WebLogic admin account using configuration files or using the security realm pages of the console.
I should also mention that users & roles are defined in the security realm on the dev server while on the production they are being authenticated using an OpenLDAP server which has been added as an authentication provider in WL's security realm.
