Creating the Login Form

<< Using Form-Based Authentication | Specifying a Security Constraint >>

Creating the Login Form

6. Map the role name defined for this resource (loginUser) to a group of users defined on the

Application Server. For more information on how to do this, read

"Mapping Application

Roles to Application Server Groups" on page 873

7. Build, package, deploy, and run the web application by following the steps in

"Building,

Packaging, and Deploying the Form-Based Authentication Example Using NetBeans IDE"
on page 874

"Building, Packaging, and Deploying the Form-Based Authentication

Example Using Ant" on page 874

8. Test the web client, following the steps in

"Testing the Form-Based Authentication Web

Client" on page 875

Creating a Web Client for Form-Based Authentication

The web client in this example is a standard JSP page, and annotations are not used in JSP pages
because JSP pages are compiled as they are presented to the browser. Therefore, none of the
code that adds form-based authentication to the example is included in the web client. The code
for the JSP page used in this example, hello1_formauth/web/index.jsp, is exactly the same as
the code used for the unsecured JSP page from the example application at
tut-install/javaeetutorial5/examples/web/hello1/web/index.jsp.

The information that adds form-based authentication to this example is specified in the
deployment descriptor. This information is discussed in

"Specifying a Security Constraint" on

page 870

Creating the Login Form and the Error Page

When using form-based login mechanisms, you must specify a page that contains the form you
want to use to obtain the user name and password, as well as which page to display if login
authentication fails. This section discusses the login form and the error page used in this
example. The section

"Specifying a Security Constraint" on page 870

shows how you specify

these pages in the deployment descriptor.

The login page can be an HTML page, a JSP page, or a servlet, and it must return an HTML page
containing a form that conforms to specific naming conventions (see the Java Servlet 2.5
specification for more information on these requirements). To do this, include the elements
that accept user name and password information between <form></form> tags in your login
page. The content of an HTML page, JSP page, or servlet for a login page should be coded as
follows:

<form method=post action=

"j_security_check" >

<input type=

"text"

name=

"j_username" >

<input type=

"password"

name=

"j_password" >

</form>

The full code for the login page used in this example can be found at
tut-install/javaeetutorial5/examples/web/hello1_formauth/web/logon.jsp. An example
of the running login form page is shown later in

Figure 306

. Here is the code for this page:

Examples: Securing Web Applications

Chapter 30 · Securing Web Applications

869