Customize Web app form-login
Overview
Form-based authentication transmits a user password from the browser to the Web server in plain text. To secure, use the HTTPS protocol.
The Web app deployment descriptor contains information about which authentication mechanism to use. When form-based authentication is used, the deployment descriptor contains entries for login and error pages. A login page can be either an HTML file or JSP file. The login page displays on the Web client side when a secured resource (servlet, JSP file, HTML page) is accessed from the application. On authentication failure, an error page displays.
Customize Web app login
- Create a form login page
- Create an error page.
We can program error pages to retry authentication or to display an appropriate error message.
- Place the login page and error page in the Web archive (.war) file relative to the top directory.
For example, if the login page is configured as /mylogin.html in the deployment descriptor, place it in the top directory of the WAR file. An assembler can also perform this step using the assembly tool.
- Create a form logout page and insert it to the application only when the Web app requires a form-based authentication mechanism.
By default the URL to the logout page should point to the host to which the request was made or its domain. Otherwise, a generic logout page will be displayed. To point this URL to a different host, edit security.xml and set property...
com.ibm.websphere.security.logoutExitPageDomainList...with a list of URLs allowed for the logout page.
We can choose to allow any logout exit page to be used by setting the property...
com.ibm.websphere.security.allowAnyLogoutExitPageHost...to a value of true. Note that setting to true may open the system to a potential URL redirect attacks.
Sample code
The Technology Samples package in the Samples Gallery demonstrates how to use the WAS login facilities...
- Java EE form-based login
- Java EE servlet filter with login
- IBM extension: form-based login
The action of the login form must always have the j_security_check action...
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="text" name="j_password"> </form>Use the j_username input field to get the user name, and use the j_password input field to get the user password.
On receiving a request from a Web client, the Web server sends the configured form page to the client and preserves the original request. When the Web server receives the completed form page from the Web client, the server extracts the user name and password from the form and authenticates the user. On successful authentication, the Web server redirects the call to the original request. If authentication fails, the Web server redirects the call to the configured error page.
Example login page (mylogin.html)...
<!DOCTYPE HTML PUBLIC "- //W3C/DTD HTML 4.0 Transitional //EN"> <html> <META HTTP-EQUIV = "Pragma" CONTENT="no-cache"> <title> Security FVT Login Page </title> <body> <h2>Form Login</h2> <form method=post action="j_security_check"> <p> Enter user ID and password: <br> <input type="text" size="20" name="j_username"> <input type="password" size="20" name="j_password"> <p> And then click this button: <input type="submit" name="login" value="Login"> </form> </body> </html>Example error page (myerror.jsp)...
<!DOCTYPE HTML PUBLIC "- //W3C/DTD HTML 4.0 Transitional //EN"> <html> <head><title>A Form login authentication failure occurred</head></title> <body> <h2>A Form login authentication failure occurred</H2> <p>Authentication may fail for one of many reasons. Some possibilities include: <ol> <li>The user-id or password may be entered incorrectly; either misspelled or the wrong case was used. <li>The user-id or password does not exist, has expired, or has been disabled. </ol> </body> </html>After assembling the Web app, the deployment descriptor contains the login configuration...
<login-config id="LoginConfig_1"> <auth-method>FORM<auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config id="FormLoginConfig_1"> <form-login-page>/mylogin.html</form-login-page> <form-error-page>/myerror.jsp</form-error-page> </form-login-config> </login-config>Here is a sample WAR file directory structure showing login and error pages...
META-INF META-INF/MANIFEST.MF mylogin.html myerror.jsp WEB-INF/ WEB-INF/classes/ WEB-INF/classes/aServlet.classAfter developing login and error pages, add them to the Web application. Use the assembly tool to configure an authentication mechanism and insert the developed login page and error page in the deployment descriptor of the application.
sendRedirect
Form login uses the servlet sendRedirect method, which has several implications for the user.
The sendRedirect method initially displays the form login page in the Web browser. It later redirects the Web browser back to the originally requested protected page. The sendRedirect(String URL) method tells the Web browser to use the HTTP GET request to get the page specified in the Web address. If HTTP POST is the first request to a protected servlet or JSP file, and no previous authentication or login occurred, then HTTP POST is not delivered to the requested page. However, HTTP GET is delivered because form login uses the sendRedirect method, which behaves as an HTTP GET request that tries to display a requested page after a login occurs.
Use HTTP POST, we might experience a scenario where an unprotected HTML form collects data from users and then posts this data to protected servlets or JSPs for processing, but the users are not logged in for the resource. To avoid this scenario, structure the Web app or permissions so that users are forced to use a form login page before the application performs any HTTP POST actions to protected servlets or JSPs.
Related
Example: Form login
Develop servlet filters for form login processing
Web component security
Access the Samples Gallery
Single sign-on for HTTP requests using SPNEGO Web authentication
Create a single sign-on for HTTP requests using SPNEGO Web authentication
Develop extensions to the WebSphere security infrastructure
Security: Links