Midtier – Custom login page

login.jsp contains  – jsp / html document
login_common.jsp – jsp with functions which are used in login.jsp. These function are replaced by jquery (getting timezone etc..)

 ———————————–
Login page tweaks– completely made in jQuery but still using standard login way defined by bmc (servlet)

  1. Timezone – In default login is this parameterr filled by jsp, but jQuery cat add this parameter to hidden field too.
  2. In case of development/test environment the login page displays environment and current MT behind LB – user friendly for developers
  3. Username is filled by ActiveX (we are using IE as standard) function.
  4. Message windows contains id of MT but in production displays message with health of servers/LB or emergency notice loaded over arapi
  5. If user is accessing to old/other url than you can redirect him to right url with http(s) to prevent the problem with Connected from Another Machine.

login.jsp

We need to defined a header all these classes and encoding are in use.

<%@ page import="com.remedy.arsys.share.MessageTranslation" %>
<%@ page import="com.remedy.arsys.config.Configuration" %>
<%@ page import="com.remedy.arsys.session.Params" %>
<%@ page import="com.remedy.arsys.session.HttpSessionKeys" %>
<%@ page import="com.remedy.arsys.session.Login" %>
<%@ page import="com.remedy.arsys.session.LoginServlet" %>
<%@ page import="com.remedy.arsys.stubs.SessionData" %>
<%@ page import="com.remedy.arsys.stubs.ARServerUserBean" %>
<%@ page import="com.remedy.arsys.share.CacheDirectiveController" %>
<%@ page import="com.remedy.arsys.support.Validator" %>
<%@ page import="com.remedy.arsys.share.HTMLWriter"%>
<%@ page import="java.util.regex.Pattern"%>
<%@ page import="java.net.InetAddress" %>
<%@page pageEncoding="UTF-8"%>
<%@page contentType="text/html; charset=UTF-8"%>

2. Define functions by bmc
<jsp:useBean id="userbean" class="com.remedy.arsys.stubs.ARServerUserBean" scope="request"></jsp:useBean>
<%
 // SW00468484 - With Atrium SSO enabled in MidTier, going directly to login.jsp page causes unnessesary MT login and subsequent 403 error after ASSO login
String customAuthenticatorClassName = Configuration.getInstance().getProperty("arsystem.authenticator");
if(customAuthenticatorClassName.equalsIgnoreCase("com.remedy.arsys.sso.AtriumSSOAuthenticator")) {
    response.sendRedirect(request.getContextPath() + Login.HOME_URL);
}

//SW00319463 - XSS attack on IE via specific pattern: ";[JS script]//[more JS script]. Just strip URL params and re-route to login.jsp
//additional pattern - any upper-lower case variation of <script>
if (request.getQueryString() != null) {
    if (request.getQueryString().indexOf("//")!=-1 || request.getQueryString().toLowerCase().indexOf("<script>")!=-1) {
        if(request.getQueryString().indexOf(Params.GOTO_URL) !=-1){
            String goto_url=Validator.URLParamsEscape(request.getParameter(Params.GOTO_URL));
            if((goto_url.length() >= 4 && "http".equalsIgnoreCase(goto_url.substring(0,4))) && LoginServlet.isInclusiveGotoUrl(goto_url, request))
                response.sendRedirect(request.getParameter(Params.GOTO_URL));
            else
                response.sendRedirect(request.getContextPath() + Login.LOGIN_URL);  
        } else
            response.sendRedirect(request.getContextPath() + Login.LOGIN_URL);
        return;
    }
}

//SW00293926: curent user not log out but go directly to login.jsp and logs in as another user.
//so we clear out previous credentials. NOTE: the credentials is set for re-use to save costly
//authenticator from retrieving unnecessarily in an SSO env.
if (session.getAttribute(HttpSessionKeys.USER_CREDENTIALS)!=null)
    session.removeAttribute(HttpSessionKeys.USER_CREDENTIALS);

   String ipOverrideMsg = (String)session.getAttribute(HttpSessionKeys.MULTI_IP_OVERRIDE_MSG);
   if (ipOverrideMsg == null)
      ipOverrideMsg = "";

   String name = (String)session.getAttribute(HttpSessionKeys.LOGIN_NAME);
   if (name == null)
       name = "";
   
   String locale = SessionData.getLocale(request);

   String nextPage = (String)request.getParameter(Params.GOTO_URL);
   if (nextPage == null)
       nextPage = "";
    

   String server = (String)request.getParameter(Params.SERVER);
   if (server == null)
       server = "";

   boolean usererror = false;
   if (session.getAttribute(HttpSessionKeys.LOGIN_USER_ERROR) != null)
      usererror = true;

   boolean passworderror = false;
   if (session.getAttribute(HttpSessionKeys.PASSWORD_ERROR) != null)
      passworderror = true;

   String iframeurl = null;
   String requrl = (String)session.getAttribute(HttpSessionKeys.TARGET_URL);
   if (requrl == null)
       requrl = Validator.StripOffScriptTag(request.getQueryString());
   else
       requrl = Validator.StripOffScriptTag(requrl);
   if(requrl!=null)
        requrl=Validator.URLParamsEscape(requrl.replaceAll(Pattern.quote("\""), "%22"));
   if (requrl != null && (requrl.length()>0) && requrl.charAt(0) == '/')
   {
       int appidx = requrl.indexOf("/apps/");
       if (appidx != -1) {
              // a block of code moved to ARServerUserBean.java to work around the issue in weblogic
              iframeurl = userbean.calculateIframeURLForLogin(request, requrl, session, locale);
       }
   }
   
  //need CacheDirectiveController to force content update whenever forwarding (see method doc)
   CacheDirectiveController.forceContentUpdate(request, response);
    %>

4. Define HTML content

<!DOCTYPE html>
<html>
 <head>
        <%response.addHeader("Cache-Control", "no-cache");%>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <link rel="SHORTCUT ICON" href="<%=request.getContextPath() + "/resources/images/favicon.ico"%>">
        <meta http-equiv="Pragma" content="no-cache">
        <title>Remedy - <%=MessageTranslation.getLocalizedText(locale, "Login")%></title><!--;-->
        <!--                       CSS                       -->
        <link rel="stylesheet" href="<%=request.getContextPath()%>/shared/resources/css/reset.css" type="text/css" media="screen" />
        <link rel="stylesheet" href="<%=request.getContextPath()%>/shared/resources/css/style.css" type="text/css" media="screen" />
        <link rel="stylesheet" href="<%=request.getContextPath()%>/shared/resources/css/invalid.css" type="text/css" media="screen" />    
        <!--[if lte IE 7]>
            <link rel="stylesheet" href="resources/css/ie.css" type="text/css" media="screen" />
        <![endif]-->
        <!--                       Javascripts                       -->
        <!-- jQuery -->
        <script type="text/javascript" src="<%=request.getContextPath()%>/shared/resources/scripts/jquery.min.js"></script>
        <!-- jQuery Cookies-->
        <script type="text/javascript" src="<%=request.getContextPath()%>/shared/resources/scripts/jquery.cookie.js"></script>
        <!-- jQuery Timezone-->
        <script type="text/javascript" src="<%=request.getContextPath()%>/shared/resources/scripts/jstz-1.0.4.min.js"></script>
        <!-- jQuery Configuration -->
        <script type="text/javascript" src="<%=request.getContextPath()%>/shared/resources/scripts/simpla.jquery.configuration.jsp"></script>
    </head>
 
<body id="login">
        
        <div id="login-wrapper" class="png_bg">
        <img id="logo" src="<%=request.getContextPath()%>/shared/resources/images/logo.png" alt="UBIS" />
            <div id="login-top">
                <!-- Logo (221px width) -->
                <img id="logo_app" width="310px" src="resources/images/BMCREMEDY.png" onload="speedTest()" alt="REMEDY" />
            </div> <!-- End #logn-top -->
            
            <div id="login-loading">
                <img src="resources/images/loading.gif">
            </div>

            <div id="login-content">
                <noscript> <-- Check if JS is enabled -->
                    <style type="text/css">
                        #loginform {display:none;}
                    </style>
                    <div class="error notification png_bg">
                        <div>
                            <p>
                            Javascript is disabled in your web browser. Please enable it and open this page again.
                            </p>
                        </div>
                    </div>
                </noscript>
                <form id="loginform" METHOD="POST" ACTION="<%=request.getContextPath()%>/servlet/LoginServlet" enctype="x-www-form-encoded">
                        <div id="dia_envi" class="notification png_bg">
                                <div>
                                
                                </div>
                        </div>
                        <div id="err_notfilled" class="notification error png_bg hidden">
                            <div>
                                <%=MessageTranslation.getLocalizedText(locale, "You must enter a user name.")%>
                            </div>
                        </div>
                        <div id="err_user" class="notification error png_bg hidden">
                                <div>
                                
                                </div>
                        </div>
                        <div id="err_cookies" class="notification attention png_bg hidden">
                            <div>
                                <%=MessageTranslation.getLocalizedText(locale, "Cookies are disabled.\\nPlease configure your browser to accept cookies.")%>
                            </div>
                        </div>
                    
                    <p>
                        <label><%=MessageTranslation.getLocalizedText(locale,"User Name")%></label>
                        <input name="username" id="username" class="text-input required" size="30" maxlength="<%=Params.USERNAME_LENGTH%>" value="<%=com.remedy.arsys.share.HTMLWriter.escape(name)%>"type="text" >
                    </p>
                    <div class="clear"></div>
                    <p>
                        <label><%=MessageTranslation.getLocalizedText(locale,"Password")%></label>
                        <input name="pwd" id="password" class="text-input required" size="30" type="password">
                    </p>
                    <div class="clear"></div>
                                    <input type="hidden" NAME="<%=Params.AUTHENTICATION_STRING%>" id="auth-id" maxlength="<%=Params.AUTHENTICATION_STRING_LENGTH%>" size="30">
                                    <input id="input_timezone" type="hidden" name="<%=Params.TIMEZONE%>" value="">
                                    <input type="hidden" name="<%=Params.SERVER%>" value="<%=com.remedy.arsys.share.HTMLWriter.escape(server)%>" >
                                    <input type="hidden" name="<%=Params.IP_OVERRIDE%>" value="1">
                                    <input type="hidden" name="initialState" value="-1">
                                    <input id="input_targeturl" type="hidden" name="<%=HttpSessionKeys.TARGET_URL%>" value="<%=requrl%>">
                                    <input type="hidden" name="goto" value="<%=nextPage%>" >
                    <!--
                    <p id="remember-password">
                        <input type="checkbox" name="remember" value="checked" id="remember" />Remember me
                    </p>
                    //-->
                    <div class="clear"></div>
                    
                    <p>
                        <input class="button" type="submit" id="login_button" value="<%=MessageTranslation.getLocalizedText(locale, "Log In")%>" />
                    </p>
                </form>
            </div> <!-- End #login-content -->
            <div id="login-unikey" class="png_bg">
                <a href="#" alt="link">
                    <!-- UniKey-->
                     <img id="logo" src="<%=request.getContextPath()%>/shared/resources/images/key.png" alt="key" />
                </a>
            </div>
            
        </div> <!-- End #login-wrapper -->
        <div id="sysinfo-left">
              <%
                
                InetAddress inetAddress = InetAddress.getLocalHost();
                out.println("<span>Server: "+inetAddress.getHostName()+" ("+inetAddress.getHostAddress()+")</span>");
              %>
              <br>
              <%
                String cliIpAdd  = request.getHeader("X-FORWARDED-FOR");  
                if(cliIpAdd == null)
                    {  
                    cliIpAdd = request.getRemoteAddr();  
                    }  
                out.println("<span>Client: "+cliIpAdd+"</span><br>");  
              %>
              <span id="user_domain">Domain: </span>
              <br>
              <span id="user_pc">PC: </span>
              <br>
              <span id="speedtest-jquery"></span>
              </div>
              <div id="sysinfo-right">
              <a href="mailto:remedy@app.corp" title="Contact Remedy Team via e-mail.">Remedy Team</a> <br><br>
              <%
              out.println("<span>"+Configuration.getInstance().getClientVersion()+"</span><br>");  
              %>
              </div>
              <div class="clear"></div>
        
  </body>
  </html>

Parameters for login and logout from BMC docs ARS 8.1

The following table shows the URL parameters that apply to login and logout. All parameters and values are case sensitive.



Login and logout parameters

Parameter

login.jsp

LoginServlet

logout.jsp

LogoutServlet

goto

Required

Required

Not applicable

Optional

server

Required

Required

Not applicable

Not applicable

username

Not applicable

Required

Not applicable

Not applicable

pwd

Not applicable

Required

Not applicable

Not applicable

auth

Not applicable

Optional

Not applicable

Not applicable

The goto parameter redirects users to an alternate URL after login or logout. Any URL after a goto statement must be URL-encoded.



Use the enc parameter to specify the type of character encoding used in other parameters, such as UTF-8 or Shift_JIS.



When you use login and logout parameters in URLs, use the following guidelines:

  • To have users log on manually, specify login.jsp.
  • To take users to the logout page only, specify logout.jsp or specify LogoutServlet without the goto parameter.
  • To have users go directly to an alternate URL, specify LoginServlet or LogoutServlet and the goto parameter.
  • When creating login and logout URLs, do not include quotation marks in parameter values