Download
FAQ
History
HomeHomeNext API
Search
Feedback
Divider

Using Login Authentication

The <login-config> element in the application deployment descriptor specifies how the user is prompted to login in. If this element is present and contains a value other than NONE, the user must be authenticated before it can access any resource that is constrained by a <security-constraint>.

When you try to access a protected Web resource, the Web container activates the authentication mechanism that has been configured for that resource in the deployment descriptor (web.xml) between <login-config> elements within <auth-method> tags, like this:

<login-config>
  <auth-method>BASIC</auth-method>
</login-config> 

The following choices are valid options for the authentication methods for a Web resource.

Configuring Login Authentication

When you configure the authentication mechanism that the Web resources in a WAR will use, you have the following options:

Using Form-Based Authentication

The following sample code shows a section of a deployment descriptor that uses form-based login authentication. The <form-login-page> element provides the URI of a Web resource relative to the document root that will be used to authenticate the user. The login page can be an HTML page, a JSP page, or a servlet, and must return an HTML page containing a form that conforms to specific naming conventions (see the Servlet 2.4 specification for more information on these requirements). The <form-error-page> element requires a URI of a Web resource relative to the document root that send a response when authentication has failed. For example,

<!-- LOGIN AUTHENTICATION -->
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>default</realm-name>
    <form-login-config>
      <form-login-page>login.jsp</form-login-page>
      <form-error-page>error.jsp</form-error-page>
    </form-login-config>
  </login-config> 

The content of the login form in an HTML page, JSP page, or servlet for a login page should be as follows:

<form method="POST"  action="j_security_check" >
 <input type="text"  name= "j_username" >
 <input type="password"  name= "j_password" >
</form> 

See the Servlet 2.4 specification for additional information.

Using Authentication with SSL

Passwords are not protected for confidentiality with HTTP basic or form-based authentication, meaning that passwords sent between a client and a server on a non-protected session can be viewed and intercepted by third parties. To overcome this limitation, you can run these authentication protocols over an SSL-protected session and ensure that all message content is protected for confidentiality. To configure HTTP basic or form-based authentication over SSL, specify CONFIDENTIAL or INTEGRAL within the <transport-guarantee> elements. Read the section Specifying a Secure Connection for more information.

Divider
Download
FAQ
History
HomeHomeNext API
Search
Feedback
Divider

All of the material in The Java(TM) Web Services Tutorial is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.