Customizing web application login
You can create a form login page and an error page to authenticate a user.
Before you begin
- HTTP basic authentication: A web server requests the Web client to authenticate and the web client passes a user ID and a password in the HTTP header.
- HTTPS client authentication: This mechanism requires a user (web client) to possess a public key certificate. The web client sends the certificate to a web server that requests the client certificates. This authentication mechanism is strong and uses the Hypertext Transfer Protocol with Secure Sockets Layer (HTTPS) protocol.
- Form-based Authentication: A developer controls the look of the login screens by using this authentication mechanism.
The Hypertext Transfer Protocol (HTTP) basic authentication transmits a user password from the web client to the web server in simple base64 encoding. Form-based authentication transmits a user password from the browser to the web server in plain text. Therefore, if the HTTPS protocol is not used, then both HTTP basic authentication and form-based authentication are not secure.
The web application deployment descriptor contains information about which authentication mechanism to use. When form-based authentication is used, the deployment descriptor also contains entries for login and error pages. A login page can be either an HTML page or a JavaServer Pages (JSP) file. This login page is displayed on the web client side when a secured resource (servlet, JSP file, HTML page) is accessed from the application. On authentication failure, an error page is displayed. You can write login and error pages to suit the application needs and control the look of the pages. During assembly of the application, an assembler can set the authentication mechanism for the application and set the login and error pages in the deployment descriptor.
sendRedirect
method, which has
several implications for the user. The sendRedirect
method is used twice during
form login:- The
sendRedirect
method initially displays the form login page in the web browser. It later redirects the web browser back to the originally requested protected page. ThesendRedirect
(String URL) method tells the web browser to use the HTTP GET request to get the page that is specified in the web address. If HTTP POST is the first request to a protected servlet or JavaServer Pages (JSP) file, and no previous authentication or login occurred, then HTTP POST is not delivered to the requested page. However, HTTP GET is delivered because form login uses thesendRedirect
method, which behaves as an HTTP GET request that tries to display a requested page after a login occurs. - Using HTTP POST, you might experience a scenario where an unprotected HTML form collects data from users. The unprotected HTML form then posts this data to protected servlets or JSP files for processing, but the users are not logged in for the resource. Structure your web application or permissions so that users are forced to use a form login page before the application performs any HTTP POST actions to protected servlets or JSP files.
Procedure
- Create a form login page with the required look, including the required elements to complete form-based authentication.
- Create an error page. You can program error pages to retry authentication or to display an appropriate error message.
- Place the login page and error page in the web application archive (.war) file relative to the beginning directory. For example, if the login page is configured as /login.html in the deployment descriptor, place it in the beginning directory of the WAR file. An assembler can also complete this step by using the assembly tool.
- Optional: If your web application requires a logout, follow the steps in Customizing web application logout.
Example: Form login
- Java EE form-based login
- Java EE servlet filter with login
- IBM® extension: form-based login
j_security_check
action. The following example shows how to code the form into the
HTML page:
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="text" name="j_password" autocomplete="off">
<\form>
Use the j_username input field to get the username, and use the j_password input field to get the user password.
On receiving a request from a web client, the web server sends the configured form page to the client and preserves the original request. When the web server receives the completed form page from the web client, the server extracts the username and password from the form and authenticates the user. On successful authentication, the web server redirects the call to the original request. If authentication fails, the web server redirects the call to the configured error page.
<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">
<head><title> Security FVT Login Page </title></head>
<body>
<h2>Form Login</h2>
<FORM METHOD=POST ACTION="j_security_check">
<p>
<font size="2"> <strong> Enter user ID and password: </strong></font>
<BR>
<strong> User ID</strong> <input type="text" size="20" name="j_username">
<strong> Password </strong> <input type="password" size="20" name="j_password" autocomplete="off">
<BR>
<BR>
<font size="2"> <strong> And then click this button: </strong></font>
<input type="submit" name="login" value="Login">
</p>
</form>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<head><title>A Form login authentication failure occurred</title></head>
<body>
<H1><B>A Form login authentication failure occurred</H1></B>
<P>Authentication may fail for one of many reasons. Some possibilities include:
<OL>
<LI>The user-id or password may be entered incorrectly; either misspelled or the
wrong case was used.
<LI>The user-id or password does not exist, has expired, or has been disabled.
</OL>
</P>
</body>
</html>
<login-config id="LoginConfig_1">
<auth-method>FORM<auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config id="FormLoginConfig_1">
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
What to do next
- Customizing web application requires logoutCustomizing web application logout
WebSphere Application Server logout allows an application to log out a user without having to close all web-browser sessions. After you log out of WebSphere Application Server, access to a protected web resource requires reauthentication.