Form-based authentication is defined in the servlet specification. Form-based authentication allows you to control the look and feel of the login page and login-error page. When a client attempts to access a protected web resource, the web container activates the Form based authentication mechanism that has been configured for that resource and a login page is displayed. If the login is successfull then the pretected resource is displayed or an error page is displayed if login fails.
Form-based authentication is not secure because passwords are transmitted as clear text.
Form-based authentication works like basic authentication. Form-based Authentication with Tomcat Server 6 requires the following steps:
1. Create a login page.
In a Form-based authentication, username, password form fields and form action are defined in the Servlet Specification. They are j_username, j_password, and j_security_check respectively. They must be used for Form-based login.
Example /login.jsp:
<form action='j_security_check' method='post'>
<table>
<tr><td>Name:</td>
<td><input type='text' name='j_username'></td></tr>
<tr><td>Password:</td>
<td><input type='password' name='j_password' size='8'></td>
</tr>
</table>
<input type='submit' value='login'>
</form>
2. Create an error page that will be displayed if login fails.
The error page displays an error message and provides a link back to the login page.
Example /error.jsp:
<html> <head> <title>Error!</title></head>
<body>
<font size='4' color='red'>
The username and password you supplied are not valid.
</p>
Click <a href='<%= response.encodeURL("login.jsp") %>'>here</a> to retry login </body> </form> </html> 3. In the deployment descriptor, specify FORM as the authentication method, login page and error page. Page is only accessed by role1 and role2 Example /WEB-INF/web.xml: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd"> <web-app> <security-constraint>
<web-resource-collection>
<web-resource-name>protected resource page</web-resource-name>
<url-pattern>/protected-page.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
<role-name>role2</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form Authentication Example</realm-name>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
4. In Tomcat 6 Server, usernames and passwords are associated with roles in $TOMCAT_HOME/conf/tomcat-users.xml,
<tomcat-users>
<user name="user1" password="password" roles="role1" />
<user name="user2" password="passwd" roles="role2" />
</tomcat-users>
5. You are done. Now, restart the Tomcat 6 Server and try to access the protected resource from Browser.
Hope this is useful! Enjoy!
No comments:
Post a Comment