Use
this topic to allow migration in an application that
uses form-based login and servlet filters without the use of the CustomLoginServlet
class.
Before you begin
The CustomLoginServlet
class is deprecated in WebSphere® Application
Server Version 5. Those applications using the CustomLoginServlet
class to perform authentication now need to use form-based login.
Using the form-based login mechanism, you can control the look and
feel of the login screen. In form-based login, a login page is specified
and displays when retrieving the user ID and password information.
You also can specify an error page that displays when authentication
fails.
If login and error pages are not enough to implement the
CustomLoginServlet class, use servlet filters. Servlet filters can
dynamically intercept requests and responses to transform or use the
information that is contained in the requests or responses. One or
more servlet filters attach to a servlet or a group of servlets. Servlet
filters also can attach to JavaServer Pages (JSP) files and HTML pages.
All the attached servlet filters are called before invoking the servlet.
Both
form-based login and servlet filters are supported by any Servlet
2.3 specification-compliant web container. A form login servlet performs
the authentication and servlet filters can perform additional authentication,
auditing, or logging tasks.
To perform pre-login and post-login
actions using servlet filters, configure these servlet filters for
either form login page or for /j_security_check URL. The j_security_check
is posted by the form login page with the j_username parameter that
contains the user name and the j_password parameter that contains
the password. A servlet filter can use user name and password information
to perform more authentication or meet other special needs.
Procedure
- Develop a form login page and error page for the
application.
Refer to Customizing web application login for details.
- Configure the form login page and the error page
for the
application.
Refer to
the information about securing web applications using an assembly
tool.
- Develop servlet filters if additional processing is required
before and after form login authentication.
Refer to Developing servlet filters for form login processing for
details.
- Configure the servlet filters that are developed in the
previous step for either the form login page URL or for the /j_security_check
URL. Use an assembly tool or development tools like Rational® Application
Developer to configure filters. After configuring the
servlet filters, the web-xml file contains two stanzas. The
first stanza contains the servlet filter configuration, the servlet
filter, and its implementation class. The second stanza contains the
filter mapping section and a mapping of the servlet filter to the
URL.
For more information, see Configuring servlet filters for form login processing.
Results
This migration results in an application that
uses form-based
login and servlet filters without the use of the CustomLoginServlet
class.
What to do next
The new application uses form-based login
and servlet filters
to replace the CustomLoginServlet class. Servlet filters also are
used to perform additional authentication, auditing, and logging.