+

Search Tips   |   Advanced Search

 

Migrate from the CustomLoginServlet class to servlet filters

 

Use this topic to allow migration in an application that uses form-based login and servlet filters without the use of the CustomLoginServlet class. The CustomLoginServlet class is deprecated in WebSphere Application Server V5. Those applications using the CustomLoginServlet class to perform authentication now need to use form-based login. Using the form-based login mechanism, you can control the look and feel of the login screen. In form-based login, a login page is specified and displays when retrieving the user ID and password information. You also can specify an error page that displays when authentication fails.

If login and error pages are not enough to implement the CustomLoginServlet class, use servlet filters. Servlet filters can dynamically intercept requests and responses to transform or use the information that is contained in the requests or responses. One or more servlet filters attach to a servlet or a group of servlets. Servlet filters also can attach to JavaServer Pages files and HTML pages. All the attached servlet filters are called before invoking the servlet.

Both form-based login and servlet filters are supported by any Servlet 2.3 specification-compliant Web container. A form login servlet performs the authentication and servlet filters can perform additional authentication, auditing, or logging tasks.

To perform pre-login and post-login actions using servlet filters, configure these servlet filters for either form login page or for /j_security_check URL. The j_security_check is posted by the form login page with the j_username parameter that contains the user name and the j_password parameter that contains the password. A servlet filter can use user name and password information to perform more authentication or meet other special needs.

 

Procedure

  1. Develop a form login page and error page for the application.

    Refer toCustomizing Web application login for details.

  2. Configure the form login page and the error page for the application as described in .

    Refer toSecuring Web applications using an assembly tool for details.

  3. Develop servlet filters if additional processing is required before and after form login authentication.

    Refer to Developing servlet filters for form login processing for details.

  4. Configure the servlet filters that are developed in the previous step for either the form login page URL or for the /j_security_check URL. Use an assembly tool or development tools like Rational Application Developer to configure filters. After configuring the servlet filters, the web-xml file contains two stanzas. The first stanza contains the servlet filter configuration, the servlet filter, and its implementation class. The second stanza contains the filter mapping section and a mapping of the servlet filter to the URL.

    For more information, see Configure servlet filters.

 

Results

This migration results in an application that uses form-based login and servlet filters without the use of the CustomLoginServlet class.

 

What to do next

The new application uses form-based login and servlet filters to replace the CustomLoginServlet class. Servlet filters also are used to perform additional authentication, auditing, and logging.


Customizing Web application login
Securing Web applications using an assembly tool
Developing servlet filters for form login processing
Configure servlet filters