Specifying an Authentication Mechanism

<< Specifying a Secure Connection | Deployment Descriptor >>

Specifying an Authentication Mechanism

The user data constraint is handy to use in conjunction with basic and form-based user
authentication. When the login authentication method is set to BASIC or FORM, passwords are
not protected, meaning that passwords sent between a client and a server on an unprotected
session can be viewed and intercepted by third parties. Using a user data constraint with the
user authentication mechanism can alleviate this concern. Configuring a user authentication
mechanism is described in

"Specifying an Authentication Mechanism" on page 858

To guarantee that data is transported over a secure connection, ensure that SSL support is
configured for your server. If your server is the Sun Java System Application Server, SSL support
is already configured. If you are using another server, consult the documentation for that server
for information on setting up SSL support. More information on configuring SSL support on
the Application Server can be found in

"Establishing a Secure Connection Using SSL" on

page 785

and in the Sun Java System Application Server 9.1 Administration Guide.

Note 

Good Security Practice: If you are using sessions, after you switch to SSL you should

never accept any further requests for that session that are non-SSL. For example, a shopping site
might not use SSL until the checkout page, and then it might switch to using SSL to accept your
card number. After switching to SSL, you should stop listening to non-SSL requests for this
session. The reason for this practice is that the session ID itself was not encrypted on the earlier
communications. This is not so bad when you're only doing your shopping, but after the credit
card information is stored in the session, you don't want a bad guy trying to fake the purchase
transaction against your credit card. This practice could be easily implemented using a filter.

Specifying an Authentication Mechanism

To specify an authentication mechanism for your web application, declare a login-config
element in the application deployment descriptor. The login-config element is used to
configure the authentication method and realm name that should be used for this application,
and the attributes that are needed by the form login mechanism when form-based login is
selected. The sub-element auth-method configures the authentication mechanism for the web
application. The element content must be either BASIC, DIGEST, FORM, CLIENT-CERT, or a
vendor-specific authentication scheme. The realm-name element indicates the realm name to
use for the authentication scheme chosen for the web application. The form-login-config
element specifies the login and error pages that should be used when FORM based login is
specified.

The authentication mechanism you choose specifies how the user is prompted to login. If the
<login-config>

element is present, and the <auth-method> element contains a value other

than NONE, the user must be authenticated before it can access any resource that is constrained
by the use of a security-constraint element in the same deployment descriptor (read

"Specifying Security Constraints" on page 854

for more information on security constraints). If

you do not specify an authentication mechanism, the user will not be authenticated.

Defining Security Requirements for Web Applications

The Java EE 5 Tutorial · September 2007

858