Home > Articles > Programming > Java

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Form-Based Authentication

Form-based authentication allows you to control the look and feel of the login page. Form-based authentication works like basic authentication, except that you specify a login page that is displayed instead of a dialog and an error page that's displayed if login fails.

Like basic authentication, form-based authentication is not secure because passwords are transmitted as clear text. Unlike basic and digest authentication, form-based authentication is defined in the servlet specification, not the HTTP specification.

Form-based login allows customization of the login page, but not the authentication process itself. If you're interested in customizing the authentication of usernames and passwords, see "Customizing Authentication".

Form-based authentication requires the following steps:

  1. Implement a login page.

  2. Implement an error page that will be displayed if login fails.

  3. In the deployment descriptor, specify form-based authentication and the login and error pages from step #2.

Figure 9-3 shows an application that illustrates form-based authentication.

Figure 9-3. Form-Based Authentication with Tomcat

The top pictures in Figure 9-3 show a failed login, and the bottom pictures show subsequent success. Notice that the login form is displayed in the browser, not in a dialog, as is the case for basic and digest authentication.

The login form used in Figure 9-3 is listed in Example 9-2.a.

Example 9-2.a /login.jsp

 <html><head><title>Login Page</title></head>
 <body>
 <font size='5' color='blue'>Please Login</font><hr>
 
 <form action='j_security_check' method='post'>
 <table>
  <tr><td>Name:</td>
    <td><input type='text' name='j_username'></td></tr>
  <tr><td>Password:</td>
    <td><input type='password' name='j_password' size='8'></td>
  </tr>
 </table>
 <br>
  <input type='submit' value='login'>
 </form></body>
 </html>

The login page listed in Example 9-2.a is unremarkable except for the names of the name and password fields and the form's action. Those names, j_username, j_password, and j_security_check, respectively–which are defined in the Servlet Specification–must be used for form-based login. Table 9-3 summarizes those names.

Table 9-3 Login Form Attributes for Form-Based Login

Attribute

Description

j_username

The name of the username field

j_password

The name of the password field

j_security_check

The login form's action


The error page for the application shown in Figure 9-3 is listed in Example 9-2.b.

Example 9-2.b /error.jsp

 <html> <head> <title>Error!</title></head>
 <body>
 
 <font size='4' color='red'>
  The username and password you supplied are not valid.
 </p>
 Click <a href='<%= response.encodeURL("login.jsp") %>'>here</a>
 to retry login
 
 </body>
 </form>
 </html>

The error page displays an error message and provides a link back to the login page. The deployment descriptor for the application shown in Figure 9-3 is listed in Example 9-2.c.

Example 9-2.c /WEB-INF/web.xml

 <?xml version="1.0" encoding="ISO-8859-1"?>
 
 <!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
 
 <web-app>
  <security-constraint>
    <web-resource-collection>
     <web-resource-name>A Protected Page</web-resource-name>
     <url-pattern>/protected-page.jsp</url-pattern>
    </web-resource-collection>
 
    <auth-constraint>
     <role-name>tomcat</role-name>
    </auth-constraint>
  </security-constraint>
 
  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
     <form-login-page>/login.jsp</form-login-page>
     <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
  </login-config>
 </web-app>

The deployment descriptor listed in Example 9-2.c specifies a security constraint that restricts access to /protected-page.jsp to principals in the role of tomcat. The authentication method is specified as FORM, and the login and error pages are identified.

  • + Share This
  • 🔖 Save To Your Account