Web FORM-Based Authentication
Pages: 1, 2
Java Security, 2nd Edition
We will go through the simple steps required in setting up the standards-based FORM-based authentication.
- Configure the
web.xmlto use FORM-based authentication
- Build the login form
Step One: Configure the web.xml to use FORM-based authentication
Let's tell the container to use FORM-based authentication in our
First, we specify "FORM" as the auth-method (instead of BASIC, DIGEST, or CLIENT-CERT), and then we tell the system that the Web page
LoginForm.html has the <FORM> which will authenticate a user. If we try to access a page under
/secure we will first have to fill out the form in
LoginForm.html and authenticate. If our authentication fails (we do not log in correctly as the system user), then we will be sent to
Step Two: Build the login form
Now we build out login form. We have to follow a couple of conventions that are defined in the Servlet API specification:
<form>'s action field must be
- We must have form fields
j_passwordthat hold the username and password to authenticate with
LoginForm.html will simply look like:
<form method="POST" action="j_security_check"> Username: <input type="text" name="j_username"><br /> Password: <input type="password" name="j_password"><br /> <br /> <input type="submit" value="Login"> <input type="reset" value="Reset"> </form>
Let's say a browser tries to access something under
/secure in our deployed Web application. The container will do the following:
- Save away the resource that the user was trying to access.
- Send back the
- When the user fills out the username and password and submits it back, the container tries to authenticate the user. If the auth fails the
LoginError.htmlis sent back to the browser.
- If the authenticated user is part of the admin role (e.g. system user), the original resource will be sent back to the user, otherwise the
And that is it! Using FORM-based authentication is easy. You configure the
web.xml to point to the correct login form and error page, and then make sure that the form follows the conventions of using
Lastly, we can declaratively control the level of security in the transport mechanism using the following tag in
<description>SSL not required</description>
There are three possible values for the
No encryption is required (http is fine)
The data must be encrypted, so that other parties can not observe the contents (e.g. enforce SSL)
The data must be transported so that the data cannot be changed in transit. Most servers use SSL for this value too, although in theory you could use some hashing algorithm, as encryption is not required
We have shown that you can configure many security options for your Web-based applications, adding support for a standard way to do FORM-based authentication that the Web container takes care of for you. Please download the sample Web application and test it out by trying to access
/logintest/secure/ (assuming that you deploy the Web application as "
Return to ONJava.com.