Customize Web application login

Customize Web application login

You can create..

form login pages
error pages

...to authenticate a user using one of the following mechanisms...

HTTP basic authentication A webserver requests the client to authenticate and the client passes a user ID and a password in the HTTP header. Password is sent from the client to the webserver in base64 encoding.
HTTPS client authentication Requires the client to possess a public key certificate, which is sent to the requesting webserver.
Form-based Authentication Custom login screens. Password is sent from the client to the webserver in plain text.

Both HTTP basic authentication and form-based authentication are not very secure unless the HTTPS protocol is used.
The Web application deployment descriptor contains information about which authentication mechanism to use. When form-based authentication is used, the deployment descriptor also contains entries for login and error pages. A login page can be either...

HTML page
JSP file

This login page displays on the client side when a secured resource...

servlet
JSP file
HTML page

...is accessed from the application. On authentication failure, an error page displays.
You can write login and error pages to suit the application needs and control the look and feel of these pages. During assembly of the application, an assembler can set the authentication mechanism for the application and set the login and error pages in the deployment descriptor.
The sendRedirect method is used twice during form login:

The sendRedirect initially displays the form login page in the Web browser and then later redirects the Web browser back to the originally requested protected page.
The sendRedirect(String URL) method tells the Web browser to use the HTTP GET request to get the page that is specified in the Web address. If HTTP POST is the first request to a protected servlet or JavaServer Pages file, and no previous authentication or login occurred, then HTTP POST is not delivered to the requested page. However, HTTP GET is delivered because form login uses the sendRedirect method, which behaves as an HTTP GET request that tries to display a requested page after a login occurs.

Use HTTP POST, you might experience a scenario where an unprotected HTML form collects data from users and then posts this data to protected servlets or JSP files for processing, but the users are not logged in for the resource. To avoid this scenario, structure your Web application or permissions so that users are forced to use a form login page before the application performs any HTTP POST actions to protected servlets or JSP files.

Procedure

Create a form login page with the required look and feel, including the required elements to perform form-based authentication.

Create an error page. You can program error pages to retry authentication or to display an appropriate error message.

Place the login page and error page in the Web archive (.war) file relative to the top directory. For example, if the login page is configured as /login.html in the deployment descriptor, place it in the top directory of the WAR file. An assembler can also perform this step using the assembly tool.

Create a form logout page and insert it to the application only when the Web application requires a form-based authentication mechanism.

Example

See the Example: Form login article for sample form login pages. The Samples Gallery provides a form login Sample that demonstrates how to use the WAS login facilities to implement and configure form login procedures. The Sample integrates the following technologies to demonstrate the WAS and J2EE login functionality:

J2EE form-based login

J2EE servlet filter with login

IBM extension: form-based login

The form login sample is part of the Technology Samples package. For more information on how to access the form login sample, see Accessing the Samples (Samples Gallery).

What to do next
After developing login and error pages, add them to the Web application. Use the assembly tool to configure an authentication mechanism and insert the developed login page and error page in the deployment descriptor of the application.

Example: Form login
Developing servlet filters for form login processing

Related concepts
Web component security
Access the Samples (Samples Gallery)

Related tasks
Develop extensions to the WebSphere security infrastructure

Related Reference
Security: Resources for learning

HTTP basic authentication	A webserver requests the client to authenticate and the client passes a user ID and a password in the HTTP header. Password is sent from the client to the webserver in base64 encoding.
HTTPS client authentication	Requires the client to possess a public key certificate, which is sent to the requesting webserver.
Form-based Authentication	Custom login screens. Password is sent from the client to the webserver in plain text.