A Web client (browser) can authenticate a user to a Web server by using one of these mechanisms:
HTTP basic authentication
A Web server requests the Web client to authenticate, and the Web client passes the user and password information in the HTTP header.
HTTPS client authentication
This mechanism requires a user (Web client) to possess a public key certificate. The Web client sends this certificate to a Web server that requests a client certificate. This is a strong authentication mechanism that uses HTTPS protocol.
Form-based authentication
With this authentication mechanism, you can control the look and feel of the login screens.
The HTTP Basic authentication transmits user password from the Web client to the Web server in simple Base64 encoding. Form based authentication transmits the user password from browser to Web server in plain text. Therefore, both HTTP Basic authentication and Form Based authentication are not very secure unless HTTPS is used.
The Web application deployment descriptor contains information about what authentication mechanism to use. When form-based authentication is used, the deployment descriptor also contains entries for login and error pages. A login page can be either a HTML page or a JSP page. This login page is displayed on the Web client when a secured resource (such as a servlet, JSP, or HTML page) is accessed from the application. If the authentication fails, the error page is displayed. You can write your own login and error pages to fit the needs of your application. During assembly of the application, an assembler can set the authentication mechanism for the application and set the login and error pages in the deployment descriptor.
Form login uses the servlet sendRedirect() method, which has several implications for the user. The sendRedirect() method is used twice during form login:
The sendRedirect() method initially displays the form login page in the Web browser. It later redirects the Web browser back to the originally requested protected page. The sendRedirect(String URL) method tells the Web browser to use the HTTP GET (not the HTTP POST) request to get the page specified in the URL. If HTTP POST is the first request to a protected servlet or JSP file, and no previous authentication or login occurred, then HTTP POST is not delivered to the requested page. However, HTTP GET is delivered because form login uses the sendRedirect() method, which behaves as a HTTP GET request that tries to display a requested page after a login occurs.
Using HTTP POST, you may experience a scenario where an unprotected HTML form collects data from users and then posts this data to protected servlets or JSP files for processing, but the users are not logged in for the resource. To avoid this scenario, structure your Web application or permissions so that users are forced to use a form login page before the application performs any HTTP POST actions to protected servlets or JSP files.
For more information and code examples, see Example: Form login.
Create a form login page and the components to perform the form-based authentication.
Create an error page. The error page can be programmed to retry authentication or display an error message that is appropriate.
(Optional) Create a form logout page.
Assemble the login, error, and logout pages in a WAR file. The pages should be placed relative to the root directory of the WAR file. For example, if the login page is configured as /login.html in the deployment descriptor, it is placed in the root directory of the WAR file.