Home > Articles > Programming > Java

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Form-Based Authentication

Form-based authentication allows you to control the look and feel of the login page. Form-based authentication works like basic authentication, except that you specify a login page that is displayed instead of a dialog and an error page that's displayed if login fails.

Like basic authentication, form-based authentication is not secure because passwords are transmitted as clear text. Unlike basic and digest authentication, form-based authentication is defined in the servlet specification, not the HTTP specification.

Form-based login allows customization of the login page, but not the authentication process itself. If you're interested in customizing the authentication of usernames and passwords, see "Customizing Authentication".

Form-based authentication requires the following steps:

  1. Implement a login page.

  2. Implement an error page that will be displayed if login fails.

  3. In the deployment descriptor, specify form-based authentication and the login and error pages from step #2.

Figure 9-3 shows an application that illustrates form-based authentication.

Figure 9-3. Form-Based Authentication with Tomcat

The top pictures in Figure 9-3 show a failed login, and the bottom pictures show subsequent success. Notice that the login form is displayed in the browser, not in a dialog, as is the case for basic and digest authentication.

The login form used in Figure 9-3 is listed in Example 9-2.a.

Example 9-2.a /login.jsp

 <html><head><title>Login Page</title></head>
 <font size='5' color='blue'>Please Login</font><hr>
 <form action='j_security_check' method='post'>
    <td><input type='text' name='j_username'></td></tr>
    <td><input type='password' name='j_password' size='8'></td>
  <input type='submit' value='login'>

The login page listed in Example 9-2.a is unremarkable except for the names of the name and password fields and the form's action. Those names, j_username, j_password, and j_security_check, respectively–which are defined in the Servlet Specification–must be used for form-based login. Table 9-3 summarizes those names.

Table 9-3 Login Form Attributes for Form-Based Login




The name of the username field


The name of the password field


The login form's action

The error page for the application shown in Figure 9-3 is listed in Example 9-2.b.

Example 9-2.b /error.jsp

 <html> <head> <title>Error!</title></head>
 <font size='4' color='red'>
  The username and password you supplied are not valid.
 Click <a href='<%= response.encodeURL("login.jsp") %>'>here</a>
 to retry login

The error page displays an error message and provides a link back to the login page. The deployment descriptor for the application shown in Figure 9-3 is listed in Example 9-2.c.

Example 9-2.c /WEB-INF/web.xml

 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
     <web-resource-name>A Protected Page</web-resource-name>

The deployment descriptor listed in Example 9-2.c specifies a security constraint that restricts access to /protected-page.jsp to principals in the role of tomcat. The authentication method is specified as FORM, and the login and error pages are identified.

  • + Share This
  • 🔖 Save To Your Account