background image

Form-Based Authentication

<< HTTP Basic Authentication | form-login-config Element >>
<< HTTP Basic Authentication | form-login-config Element >>

Form-Based Authentication

HTTP basic authentication is not a secure authentication mechanism. Basic authentication
sends user names and passwords over the Internet as text that is Base64 encoded, and the target
server is not authenticated. This form of authentication can expose user names and passwords.
If someone can intercept the transmission, the user name and password information can easily
be decoded. However, when a secure transport mechanism, such as SSL, or security at the
network level, such as the IPSEC protocol or VPN strategies, is used in conjunction with basic
authentication, some of these concerns can be alleviated.
"Example: Basic Authentication with JAX-WS" on page 885
is an example application that uses
HTTP basic authentication in a JAX-WS service.
"Example: Using Form-Based Authentication
with a JSP Page" on page 868
can be easily modified to demonstrate basic authentication. To do
so, replace the text between the <login-config> elements with those shown in this section.
Form-Based Authentication
Form-based authentication allows the developer to control the look and feel of the login
authentication screens by customizing the login screen and error pages that an HTTP browser
presents to the end user. When form-based authentication is declared, the following actions
occur:
1. A client requests access to a protected resource.
2. If the client is unauthenticated, the server redirects the client to a login page.
3. The client submits the login form to the server.
4. The server attempts to authenticate the user.
a. If authentication succeeds, the authenticated user's principal is checked to ensure it is in
a role that is authorized to access the resource. If the user is authorized, the server
redirects the client to the resource using the stored URL path.
b. If authentication fails, the client is forwarded or redirected to an error page.
Figure 30­3
shows what happens when you specify form-based authentication.
Defining Security Requirements for Web Applications
Chapter 30 · Securing Web Applications
861