form-login-config Element
form-login-config Element
The following example shows how to declare form-based authentication in your deployment
descriptor:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/logon.jsp</form-login-page>
<form-error-page>/logonError.jsp</form-error-page>
</form-login-config>
</login-config>
The login and error page locations are specified relative to the location of the deployment
descriptor. Examples of login and error pages are shown in
Form-based authentication is not particularly secure. In form-based authentication, the content
of the user dialog box is sent as plain text, and the target server is not authenticated. This form
of authentication can expose your user names and passwords unless all connections are over
SSL. If someone can intercept the transmission, the user name and password information can
easily be decoded. However, when a secure transport mechanism, such as SSL, or security at the
network level, such as the IPSEC protocol or VPN strategies, is used in conjunction with
form-based authentication, some of these concerns can be alleviated.
The section
is an
example application that uses form-based authentication.
Server
Client
2
Redirected to
login page
3
Form submitted
1
Requests protected resource
j_security_check
?
login.jsp
4
Redirected to source
error.jsp
Success
Error page returned
Failure
FIGURE 303
Form-Based Authentication
Defining Security Requirements for Web Applications
The Java EE 5 Tutorial · September 2007
862
