InfoCenter Home > 5.4.3: Form-based loginApplications can present site-specific login forms by making use of WebSphere's form-login type. The J2EE specification defines form login as one of the authentication methods for Web applications. However, the Servlet 2.2 specification does not define a mechanism for logging out. WebSphere extends J2EE by also providing a form-logout mechanism. Form loginA form login works in the following manner:
Form login uses the servlet sendRedirect() method, which has several implications for the user. The sendRedirect() method is used twice during form login:
The sendRedirect(String URL) method tells the Web browser to use the HTTP GET (not the HTTP POST) request, to get the page specified in the URL. If HTTP POST is the first request to a protected servlet or JavaServer pages (JSP) file, and no previous authentication or login occurred, then HTTP POST is not delivered to the requested page. However, HTTP GET is delivered because form login uses the sendRedirect() method, which behaves as a HTTP GET request that tries to display a requested page after a login occurs. Using HTTP POST, you might experience a scenario where an unprotected HTML form collects data from users and then posts this data to protected servlets or JSP files for processing, but the users are not logged in for the resource. To avoid this scenario, structure your Web application or permissions so that users are forced to use a form login page before the application performs any HTTP POST actions to protected servlets or JSP files. Configuring form loginForm login is one of the possible values for the <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication</realm-name> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> The The form-login pageThe form-login page is usually an HTML form with text-entry fields for a user ID and password. The HTML file is included in the Web application archive (WAR) file. However, there several key requirement:.
The j_security_check post action is a special action recognized by the web container; it dispatches the action to a special WebSphere servlet that authenticates the user. Here is an example of a form-login HTML page: <!DOCTYPE HTML PUBliC "-//W3C/DTD HTML 4.0 Transitional//EN"> <html> <META HTTP-EQUIV = "Pragma" CONTENT="no-cache"> <title>Form Login Page </title> <body> <h2>Sample Form Login</h2> <FORM METHOD=POST ACTION="j_security_check"> <p> <font size="2"> <strong> Please Enter user ID and password: </strong></font> <BR> <strong> User ID</strong> <input type="text" size="20" name="j_username"> <strong> Password </strong> <input type="password" size="20" name="j_password"> <BR> <BR> <font size="2"> <strong> And then click this button: </strong></font> <input type="submit" name="login" value="Login"> </p> </form> </body> </html> Form logoutForm logout is a mechanism to log out without having to close all Web-browser sessions. After logging out with form logout, access to a protected Web resource requires reauthentication. Suppose that it is desirable to log out after logging into a Web application and performing some actions. A form logout works in the following manner:
Configuring form logoutForm logout does not require any attributes in any deployment descriptor. It is simply an HTML or JSP file that is included with the Web application. The form logout pageThe form-logout page is like most HTML forms except that, like the form-login page, it has a special post action that is recognized by the Web container, which dispatches it to a special internal WebSphere form-logout servlet. The post action in the form-logout page must be ibm_security_logout. A logout-exit page can be specified in the logout form, and the exit page can be a HTML or JSP file within the same Web application that the user is redirected to after logging out. The logout-exit page is simply specified as a parameter in the form-logout page. If no logout-exit page is specified, a default logout HTML message is returned to the user. Here is a sample form logout HTML form. This form configures the logout-exit page to redirect the user back to the login page after logout. <!DOCTYPE HTML PUBliC "-//W3C/DTD HTML 4.0 Transitional//EN"> <html> <META HTTP-EQUIV = "Pragma" CONTENT="no-cache"> <title>Logout Page </title> <body> <h2>Sample Form Logout</h2> <FORM METHOD=POST ACTION="ibm_security_logout" NAME="logout"> <p> <BR> <BR> <font size="2"> <strong>Click this button to logout: </strong></font> <input type="submit" name="logout" value="Logout"> <INPUT TYPE="HIDDEN" name="logoutExitPage" VALUE="/login.html"> </p> </form> </body> </html> |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|