Example: Form login

This article provides several examples pertaining to form login.

For the authentication to proceed appropriately, the action of the login form must always have the j_security_check action. The following example shows how to code the form into the HTML page:
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="text" name="j_password"> 
<\form>

Use the j_username input field to get the user name, and use the j_password input field to get the user password.

On receiving a request from a Web client, the Web server sends the configured form page to the client and preserves the original request. When the Web server receives the completed form page from the Web client, the server extracts the user name and password from the form and authenticates the user. On successful authentication, the Web server redirects the call to the original request. If authentication fails, the Web server redirects the call to the configured error page.

The following example depicts a login page in HTML (login.html):
<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">
<title> Security FVT Login Page </title>
<body>
<h2>Form Login</h2>
<FORM METHOD=POST ACTION="j_security_check">
<p>
<font size="2"> <strong> Enter user ID and password: </strong></font>
<BR>
<strong> User ID</strong> <input type="text" size="20" name="j_username">
<strong> Password </strong>  <input type="password" size="20" name="j_password">
<BR>
<BR>
<font size="2">  <strong> And then click this button: </strong></font>
<input type="submit" name="login" value="Login">
</p>

</form>
</body>
</html>
The following example depicts an error page in a JSP file:
<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<head><title>A Form login authentication failure occurred</head></title>
<body>
<H1><B>A Form login authentication failure occurred</H1></B>
<P>Authentication might fail for one of many reasons. Some possibilities include:
<OL>
<LI>The user ID or password might have been entered incorrectly; either misspelled or the 
wrong case was used.
<LI>The user ID or password does not exist, has expired, or has been disabled.
</OL>
</P>
</body>
</html>
After an assembler configures the Web application to use form-based authentication, the deployment descriptor contains the login configuration as shown:
<login-config id="LoginConfig_1">
<auth-method>FORM<auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config id="FormLoginConfig_1">
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
A sample Web application archive (WAR) file directory structure that shows login and error pages for the previous login configuration follows:
META-INF
     META-INF/MANIFEST.MF
     login.html
     error.jsp
     WEB-INF/
     WEB-INF/classes/
     WEB-INF/classes/aServlet.class

Form logout

Form logout is a mechanism to log out without having to close all Web-browser sessions. After logging out of the form logout mechanism, access to a protected Web resource requires re-authentication. This feature is not required by J2EE specifications, but it is provided as an additional feature in WebSphere Application Server security.

Suppose that you want to log out after logging into a Web application and perform some actions. A form logout works in the following manner:
  1. The logout-form URI is specified in the Web browser and loads the form.
  2. The user clicks Submit on the form to log out.
  3. The WebSphere Application Server security code logs the user out. During this process, the Application Server completes the following processes:
    1. Clears the Lightweight Third Party Authentication (LTPA) / single sign-on (SSO) cookies
    2. Invalidates the HTTP session
    3. Removes the user from the authentication cache
  4. Upon logout, the user is redirected to a logout exit page.

Form logout does not require any attributes in a deployment descriptor. The form-logout page is an HTML or a JavaServer Pages (JSP) file that is included with the Web application. The form-logout page is like most HTML forms except that like the form-login page, the form-logout page has a special post action. This post action is recognized by the Web container, which dispatches the post action to a special internal form-logout servlet. The post action in the form-logout page must be ibm_security_logout.

You can specify a logout-exit page in the logout form and the exit page can represent an HTML or a JSP file within the same Web application to which the user is redirected after logging out. Additionally, the logout-exit page permits a fully qualified URL in the form of http://hostname:port/URL. The logout-exit page is specified as a parameter in the form-logout page. If no logout-exit page is specified, a default logout HTML message is returned to the user.

Here is a sample form logout HTML form. This form configures the logout-exit page to redirect the user back to the login page after logout.
<!DOCTYPE HTML PUBliC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
		<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">
		<title>Logout Page </title>
		<body>
		<h2>Sample Form Logout</h2>
						<FORM METHOD=POST ACTION="ibm_security_logout" NAME="logout">
						<p>
						<BR>
						<BR>
						<font size="2"><strong> Click this button to log out: </strong></font>
						<input type="submit" name="logout" value="Logout">
						<INPUT TYPE="HIDDEN" name="logoutExitPage" VALUE="/login.html">
						</p>
						</form>
		</body>
</html>

Example

The WebSphere Application Server Samples Gallery provides a form login Sample that demonstrates how to use the WebSphere Application Server login facilities to implement and configure form login procedures. The Sample integrates the following technologies to demonstrate the WebSphere Application Server and Java 2 Platform, Enterprise Edition (J2EE) login functionality: The form login Sample is part of the Technology Samples package.



Related concepts
Accessing Samples
Related tasks
Customizing Web application login
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 4:53:43 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-base-dist&topic=xsecformlogin
File name: xsec_formlogin.html