You can create a form login page and an error page to authenticate a user.
The Hypertext Transfer Protocol (HTTP) basic authentication transmits a user password from the Web client to the Web server in simple base64 encoding. Form-based authentication transmits a user password from the browser to the Web server in plain text. Therefore, both HTTP basic authentication and form-based authentication are not very secure unless the HTTPS protocol is used.
The Web application deployment descriptor contains information about which authentication mechanism to use. When form-based authentication is used, the deployment descriptor also contains entries for login and error pages. A login page can be either an HTML page or a JavaServer Pages (JSP) file. This login page displays on the Web client side when a secured resource (servlet, JSP file, HTML page) is accessed from the application. On authentication failure, an error page displays. You can write login and error pages to suit the application needs and control the look and feel of these pages. During assembly of the application, an assembler can set the authentication mechanism for the application and set the login and error pages in the deployment descriptor.
See the Example: Form login article for sample form login pages.
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="text" name="j_password"> <\form>
Use the j_username input field to get the user name, and use the j_password input field to get the user password.
On receiving a request from a Web client, the Web server sends the configured form page to the client and preserves the original request. When the Web server receives the completed form page from the Web client, the server extracts the user name and password from the form and authenticates the user. On successful authentication, the Web server redirects the call to the original request. If authentication fails, the Web server redirects the call to the configured error page.
<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN"> <html> <META HTTP-EQUIV = "Pragma" CONTENT="no-cache"> <title> Security FVT Login Page </title> <body> <h2>Form Login</h2> <FORM METHOD=POST ACTION="j_security_check"> <p> <font size="2"> <strong> Enter user ID and password: </strong></font> <BR> <strong> User ID</strong> <input type="text" size="20" name="j_username"> <strong> Password </strong> <input type="password" size="20" name="j_password"> <BR> <BR> <font size="2"> <strong> And then click this button: </strong></font> <input type="submit" name="login" value="Login"> </p> </form> </body> </html>
<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN"> <html> <head><title>A Form login authentication failure occurred</head></title> <body> <H1><B>A Form login authentication failure occurred</H1></B> <P>Authentication may fail for one of many reasons. Some possibilities include: <OL> <LI>The user-id or password may be entered incorrectly; either misspelled or the wrong case was used. <LI>The user-id or password does not exist, has expired, or has been disabled. </OL> </P> </body> </html>
<login-config id="LoginConfig_1"> <auth-method>FORM<auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config id="FormLoginConfig_1"> <form-login-page>/login.html</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config>
META-INF META-INF/MANIFEST.MF login.html error.jsp WEB-INF/ WEB-INF/classes/ WEB-INF/classes/aServlet.class
In this information ...Related reference
| IBM Redbooks, demos, education, and more(Index) |