Web FORM-Based Authentication
Pages: 1, 2
FORM-based Authentication
 |
|
||||
|
|
Related Reading: Java Security, 2nd Edition |
|
|
|
|
|||||
| |||||
We will go through the simple steps required in setting up the standards-based FORM-based authentication.
- Configure the
web.xmlto use FORM-based authentication - Build the login form
Step One: Configure the web.xml to use FORM-based authentication
Let's tell the container to use FORM-based authentication in our web.xml file.
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>
First, we specify "FORM" as the auth-method (instead of BASIC, DIGEST, or CLIENT-CERT), and then we tell the system that the Web page LoginForm.html has the <FORM> which will authenticate a user. If we try to access a page under /secure we will first have to fill out the form in LoginForm.html and authenticate. If our authentication fails (we do not log in correctly as the system user), then we will be sent to LoginError.html.
Step Two: Build the login form
Now we build out login form. We have to follow a couple of conventions that are defined in the Servlet API specification:
- Our
<form>'s action field must bej_security_check - We must have form fields
j_username, andj_passwordthat hold the username and password to authenticate with
So, our LoginForm.html will simply look like:
<form method="POST" action="j_security_check">
Username: <input type="text" name="j_username"><br />
Password: <input type="password" name="j_password"><br />
<br />
<input type="submit" value="Login">
<input type="reset" value="Reset">
</form>Let's say a browser tries to access something under /secure in our deployed Web application. The container will do the following:
- Save away the resource that the user was trying to access.
- Send back the
LoginForm.html. - When the user fills out the username and password and submits it back, the container tries to authenticate the user. If the auth fails the
LoginError.htmlis sent back to the browser. - If the authenticated user is part of the admin role (e.g. system user), the original resource will be sent back to the user, otherwise the
LoginError.htmlwill.
And that is it! Using FORM-based authentication is easy. You configure the web.xml to point to the correct login form and error page, and then make sure that the form follows the conventions of using j_security_check, j_username, and j_password.
Enforcing SSL
Lastly, we can declaratively control the level of security in the transport mechanism using the following tag in web.xml:
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
There are three possible values for the <transport-guarantee>:
| Transport | Description |
NONE |
No encryption is required (http is fine) |
CONFIDENTIAL |
The data must be encrypted, so that other parties can not observe the contents (e.g. enforce SSL) |
INTEGRAL |
The data must be transported so that the data cannot be changed in transit. Most servers use SSL for this value too, although in theory you could use some hashing algorithm, as encryption is not required |
Conclusion
We have shown that you can configure many security options for your Web-based applications, adding support for a standard way to do FORM-based authentication that the Web container takes care of for you. Please download the sample Web application and test it out by trying to access /logintest/secure/ (assuming that you deploy the Web application as "logintest").
Dion Almaer is a Principal Technologist for The Middleware Company, and Chief Architect of TheServerSide.Com J2EE Community.
Return to ONJava.com.
