You can create a form login page and an error page to authenticate
a user.
Before you begin
A Web client or a browser can authenticate a user to a Web server
using one of the following mechanisms:
- HTTP basic authentication: A Web server requests the Web client
to authenticate and the Web client passes a user ID and a password in the
HTTP header.
- HTTPS client authentication: This mechanism requires a user (Web
client) to possess a public key certificate. The Web client sends the certificate
to a Web server that requests the client certificates. This authentication
mechanism is strong and uses the Hypertext Transfer Protocol with Secure Sockets
Layer (HTTPS) protocol.
- Form-based Authentication: A developer controls the look and feel
of the login screens using this authentication mechanism.
The Hypertext Transfer Protocol (HTTP) basic authentication transmits
a user password from the Web client to the Web server in simple base64 encoding.
Form-based authentication transmits a user password from the browser to the
Web server in plain text. Therefore, both HTTP basic authentication and form-based
authentication are not very secure unless the HTTPS protocol is used.
The
Web application deployment descriptor contains information about which authentication
mechanism to use. When form-based authentication is used, the deployment descriptor
also contains entries for login and error pages. A login page can be either
an HTML page or a JavaServer Pages (JSP) file. This login page displays on
the Web client side when a secured resource (servlet, JSP file, HTML page)
is accessed from the application. On authentication failure, an error page
displays. You can write login and error pages to suit the application needs
and control the look and feel of these pages. During assembly of the application,
an assembler can set the authentication mechanism for the application and
set the login and error pages in the deployment descriptor.
Form login
uses the servlet sendRedirect method, which has several implications for the
user. The sendRedirect method is used twice during form login:
- The sendRedirect method initially displays the form login page in the
Web browser. It later redirects the Web browser back to the originally requested
protected page. The sendRedirect(String URL) method tells the Web browser
to use the HTTP GET request to get the page that is specified in the Web address.
If HTTP POST is the first request to a protected servlet or JavaServer Pages
(JSP) file, and no previous authentication or login occurred, then HTTP POST
is not delivered to the requested page. However, HTTP GET is delivered because
form login uses the sendRedirect method, which behaves as an HTTP GET request
that tries to display a requested page after a login occurs.
- Using HTTP POST, you might experience a scenario where an unprotected
HTML form collects data from users and then posts this data to protected servlets
or JSP files for processing, but the users are not logged in for the resource.
To avoid this scenario, structure your Web application or permissions so that
users are forced to use a form login page before the application performs
any HTTP POST actions to protected servlets or JSP files.
Example
See the Example: Form login
article for sample form login pages.
The WebSphere
Application Server Samples Gallery provides a form login Sample that demonstrates
how to use the WebSphere Application Server login facilities to implement
and configure form login procedures. The Sample integrates the following technologies
to demonstrate the WebSphere Application Server and Java 2 Platform, Enterprise
Edition (J2EE) login functionality:
- J2EE form-based login
- J2EE servlet filter with login
- IBM extension: form-based login
The form login sample is part of the Technology Samples package. For
more information on how to access the form login sample, see
Accessing the Samples (Samples Gallery)
.