Home > Articles > Programming > Java

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Form-Based Authentication

Form-based authentication allows you to control the look and feel of the login page. Form-based authentication works like basic authentication, except that you specify a login page that is displayed instead of a dialog and an error page that's displayed if login fails.

Like basic authentication, form-based authentication is not secure because passwords are transmitted as clear text. Unlike basic and digest authentication, form-based authentication is defined in the servlet specification, not the HTTP specification.

Form-based login allows customization of the login page, but not the authentication process itself. If you're interested in customizing the authentication of usernames and passwords, see "Customizing Authentication" on page 263.

Form-based authentication requires the following steps:

  1. Implement a login page.

  2. Implement an error page that will be displayed if login fails.

  3. In the deployment descriptor, specify form-based authentication and the login and error pages from step #2.

Figure 9-3 shows an application that illustrates form-based authentication.

Figure 9-3 Form-Based Authentication with Tomcat

The top pictures in Figure 9-3 show a failed login, and the bottom pictures show subsequent success. Notice that the login form is displayed in the browser, not in a dialog, as is the case for basic and digest authentication.

The login form used in Figure 9-3 is listed in Example 9-2.a.

Example 9-2.a /login.jsp

<html><head><title>Login Page</title></head>
<font size='5' color='blue'>Please Login</font><hr>

<form action='j_security_check' method='post'>
   <td><input type='text' name='j_username'></td></tr>
   <td><input type='password' name='j_password' size='8'></td>
  <input type='submit' value='login'> 

The login page listed in Example 9-2.a is unremarkable except for the names of the name and password fields and the form's action. Those names, j_username, j_password, and j_security_check, respectively—which are defined in the Servlet Specification—must be used for form-based login. Table 9-3 summarizes those names.

Table 9-3 Login Form Attributes for Form-Based Login




The name of the username field


The name of the password field


The login form's action

The error page for the application shown in Figure 9-3 is listed in Example 9-2.b.

Example 9-2.b /error.jsp

<html> <head> <title>Error!</title></head>

<font size='4' color='red'>
  The username and password you supplied are not valid.
Click <a href='<%= response.encodeURL("login.jsp") %>'>here</a> 
to retry login


The error page displays an error message and provides a link back to the login page. The deployment descriptor for the application shown in Figure 9-3 is listed in Example 9-2.c.

Example 9-2.c /WEB-INF/web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
 PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"

     <web-resource-name>A Protected Page</web-resource-name>



The deployment descriptor listed in Example 9-2.c specifies a security constraint that restricts access to /protected-page.jsp to principals in the role of tomcat. The authentication method is specified as FORM, and the login and error pages are identified.

  • + Share This
  • 🔖 Save To Your Account