InfoCenter Home >
5: Securing applications -- special topics >
5.4: Overview: Using programmatic and form logins >
5.4.3: Form-based login

5.4.3: Form-based login

Applications can present site-specific login forms by making use of WebSphere's form-login type. The J2EE specification defines form login as one of the authentication methods for Web applications. However, the Servlet 2.2 specification does not define a mechanism for logging out. WebSphere extends J2EE by also providing a form-logout mechanism.

Form login

A form login works in the following manner:

  1. An unauthenticated user attempts to use a resource secured with a form-login authentication method.
  2. The user is redirected to the form-login page, which takes the user to an HTML form that collects authentication information.
  3. The user enters his or her user ID and password into the form and submits it.
  4. The submission triggers a special WebSphere servlet that authenticates the user.
  5. If the user authenticates successfully, the orginally requested secure resource can be accessed.

  If you select LTPA as the authentication mechanism under global security settings and use form login in any Web applications, you must also enable single sign-on (SSO). If SSO is not enabled, authentication during form login fails with a configuration error. SSO is required because it generates an HTTP cookie that contains information representing the identity of the user at the web browser. This information is needed to authorize protected resources when a form login is used.

Form login uses the servlet sendRedirect() method, which has several implications for the user. The sendRedirect() method is used twice during form login:

  1. It initially displays the form login page in the Web browser.
  2. It later redirects the Web browser back to the originally requested protected page.

The sendRedirect(String URL) method tells the Web browser to use the HTTP GET (not the HTTP POST) request, to get the page specified in the URL. If HTTP POST is the first request to a protected servlet or JavaServer pages (JSP) file, and no previous authentication or login occurred, then HTTP POST is not delivered to the requested page. However, HTTP GET is delivered because form login uses the sendRedirect() method, which behaves as a HTTP GET request that tries to display a requested page after a login occurs.

Using HTTP POST, you might experience a scenario where an unprotected HTML form collects data from users and then posts this data to protected servlets or JSP files for processing, but the users are not logged in for the resource. To avoid this scenario, structure your Web application or permissions so that users are forced to use a form login page before the application performs any HTTP POST actions to protected servlets or JSP files.

Configuring form login

Form login is one of the possible values for the auth-method tag in the login-config element in the deployment descriptor of a Web application. For example:

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

The form-login-page element above specifies the form to display when a request is made to a protected Web resource in the Web application. The form-login page is usually an HTML or JSP file, but it can also be a servlet. The page named in the form-error-page element is displayed if an error occurs during login.

The form-login page

The form-login page is usually an HTML form with text-entry fields for a user ID and password. The HTML file is included in the Web application archive (WAR) file. However, there several key requirement:.

  • The text-entry field for the user ID must be named j_username
  • The field for the password must be named j_password.
  • The post action must be j_security_check.

The j_security_check post action is a special action recognized by the web container; it dispatches the action to a special WebSphere servlet that authenticates the user.

Here is an example of a form-login HTML page:

<!DOCTYPE HTML PUBliC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">
<title>Form Login Page </title>

<body>

<h2>Sample Form Login</h2>

<FORM METHOD=POST ACTION="j_security_check">
<p>
<font size="2">  <strong> Please Enter user ID and password: </strong></font> <BR>
<strong> User ID</strong>  <input type="text" size="20" name="j_username">
<strong> Password </strong>  <input type="password" size="20" name="j_password">
<BR>
<BR>
<font size="2">  <strong> And then click this button: </strong></font>
<input type="submit" name="login" value="Login">
</p>
</form>
</body>
</html>

Form logout

Form logout is a mechanism to log out without having to close all Web-browser sessions. After logging out with form logout, access to a protected Web resource requires reauthentication.

Suppose that it is desirable to log out after logging into a Web application and performing some actions. A form logout works in the following manner:

  1. The logout-form URI is specified in the Web browser and loads the form.
  2. The user clicks on the submit button of the form to logout.
  3. The WebSphere security code logs the user out.
  4. Upon logout, the user is redirected to a logout exit page.

Configuring form logout

Form logout does not require any attributes in any deployment descriptor. It is simply an HTML or JSP file that is included with the Web application.

The form logout page

The form-logout page is like most HTML forms except that, like the form-login page, it has a special post action that is recognized by the Web container, which dispatches it to a special internal WebSphere form-logout servlet.

The post action in the form-logout page must be ibm_security_logout.

A logout-exit page can be specified in the logout form, and the exit page can be a HTML or JSP file within the same Web application that the user is redirected to after logging out. The logout-exit page is simply specified as a parameter in the form-logout page. If no logout-exit page is specified, a default logout HTML message is returned to the user.

Here is a sample form logout HTML form. This form configures the logout-exit page to redirect the user back to the login page after logout.

<!DOCTYPE HTML PUBliC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">
<title>Logout Page </title>
<body>
<h2>Sample Form Logout</h2>
<FORM METHOD=POST ACTION="ibm_security_logout" NAME="logout">
<p>
<BR>
<BR>
<font size="2">  <strong>Click this button to logout: </strong></font>
<input type="submit" name="logout" value="Logout">
<INPUT TYPE="HIDDEN" name="logoutExitPage" VALUE="/login.html">
</p>
</form>
</body>
</html>
Go to previous article: Accessing secured resources from Java clients Go to next article: Introduction to security certificates

 

 
Go to previous article: Accessing secured resources from Java clients Go to next article: Introduction to security certificates