Download
FAQ History |
![]() ![]() ![]() |
API
Search Feedback |
Using Login Authentication
The
<login-config>
element in the application deployment descriptor specifies how the user is prompted to login in. If this element is present and contains a value other thanNONE
, the user must be authenticated before it can access any resource that is constrained by a<security-constraint>
.When you try to access a protected Web resource, the Web container activates the authentication mechanism that has been configured for that resource in the deployment descriptor (
web.xml
) between<login-config>
elements within<auth-method>
tags, like this:The following choices are valid options for the authentication methods for a Web resource.
None
If you do not specify one of the following methods, the user will not be authenticated.
- HTTP
Basic
authenticationIf you specify HTTP basic authentication, (
<auth-method>BASIC</auth-method>
), the Web server will authenticate a user by using the user name and password obtained from the Web client. HTTP basic authentication is not particularly secure. Basic authentication sends user names and passwords over the Internet as text that is uu-encoded, but not encrypted. This form of authentication, which uses Base64 encoding, can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the user name and password information can easily be decoded. An example application that uses HTTP Basic Authentication in a JAX-RPC service is described in Basic Authentication with JAX-RPC.Form-based
authenticationIf you specify form-based authentication (
<auth-method>FORM</auth-method>
), you can customize the login screen and error pages that are presented to the end user by an HTTP browser.Neither form-based authentication nor HTTP basic authentication is particularly secure. In form-based authentication, the content of the user dialog is sent as plain text, and the target server is not authenticated. Basic authentication sends user names and passwords over the Internet as text that is uu-encoded, but not encrypted. This form of authentication, which uses Base64 encoding, can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the user name and password information can easily be decoded. Form-based authentication is discussed more in the section Configuring Login Authentication.
Client-Certificate
authenticationClient-certificate authentication (
<auth-method>CLIENT-CERT</auth-method>
) is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates. Secure Sockets Layer (SSL) provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. You can think of a public key certificate as the digital equivalent of a passport. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. If you specify client-certificate authentication, the Web server will authenticate the client using the client's X.509 certificate, a public key certificate that conforms to a standard that is defined by X.509 Public Key Infrastructure (PKI). Prior to running an application that uses SSL, you must configure SSL support on the server (see Installing and Configuring SSL Support) and set up the public key certificate (see Setting Up Digital Certificates). An example application that usesCLIENT-CERT
authentication is discussed in Client-Certificate Authentication over HTTP/SSL with JAX-RPC.Configuring Login Authentication
When you configure the authentication mechanism that the Web resources in a WAR will use, you have the following options:
- Specify one of the user authentication methods described in Using Login Authentication.
- Specify a security realm. Basic, form-based, and digest authentication have realm parameters. If omitted, the
default
realm is assumed.- If the authentication method is specified as
FORM
, specify a form login page and form error page.Using Form-Based Authentication
The following sample code shows a section of a deployment descriptor that uses form-based login authentication. The
<form-login-page>
element provides the URI of a Web resource relative to the document root that will be used to authenticate the user. The login page can be an HTML page, a JSP page, or a servlet, and must return an HTML page containing a form that conforms to specific naming conventions (see the Servlet 2.4 specification for more information on these requirements). The<form-error-page>
element requires a URI of a Web resource relative to the document root that send a response when authentication has failed. For example,<!-- LOGIN AUTHENTICATION --> <login-config> <auth-method>FORM</auth-method> <realm-name>default</realm-name> <form-login-config> <form-login-page>login.jsp</form-login-page> <form-error-page>error.jsp</form-error-page> </form-login-config> </login-config>The content of the login form in an HTML page, JSP page, or servlet for a login page should be as follows:
<form method="POST" action="j_security_check" > <input type="text" name= "j_username" > <input type="password" name= "j_password" > </form>See the Servlet 2.4 specification for additional information.
Using Authentication with SSL
Passwords are not protected for confidentiality with HTTP basic or form-based authentication, meaning that passwords sent between a client and a server on a non-protected session can be viewed and intercepted by third parties. To overcome this limitation, you can run these authentication protocols over an SSL-protected session and ensure that all message content is protected for confidentiality. To configure HTTP basic or form-based authentication over SSL, specify
CONFIDENTIAL
orINTEGRAL
within the<transport-guarantee>
elements. Read the section Specifying a Secure Connection for more information.
Download
FAQ History |
![]() ![]() ![]() |
API
Search Feedback |
All of the material in The Java(TM) Web Services Tutorial is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.