Monday, October 15, 2007

Form-based Authentication in WAS

Form-based login

One of the login challenges defined in J2EE Specification is form-based login. It enables the application developer to customize the login process and present an application-specific form by making use of the Form Login Authentication Method.

Form login works in the following manner:

1. An unauthenticated user requests a resource protected by the Form Login authentication type.
2. The application server redirects the request to the Login Form defined previously in the Web deployment descriptor.
3. On the HTML login form, the user enters the user ID and password and submits the form.
4. The action triggered by the form submission runs a special WebSphere Application servlet j_security_check. The Web container, after receiving a request for the j_security_check servlet, dispatches the request to another WebSphere servlet that authenticates the user.
5. If the servlet authenticates the user successfully, the originally requested resource is displayed.

Form login configuration using WebSphere Studio

1. Open the web.xml file under the Web project. A Web Deployment Descriptor should be opened in a deployment descriptor editor window.
2. Select the Pages tab, then modify the Login section.
3. Type in the realm name, for example: SecureRealm.
4. Click the drop-down list and select FORM as the Authentication method.
5. In the Login page, click Browse and select your login page from the project, for example: /login/login.html.
6. In the Error page, click Browse and select your login page from the project, for example: /login/loginerror.html (we have used the same page for login and error, but you can define a custom error.jsp page that will present actual error code and error messages).
7. Save and close the Web deployment descriptor file.

Setting the Authentication Method for the application Web module will create a [login-config] section in a Web deployment descriptor XML file, as shown in the following example.

[login-config]
[auth-method]FORM[/auth-method]
[realm-name]SecureRealm[/realm-name]
[form-login-config]
[form-login-page]/login/login.html[/form-login-page]
[form-error-page]/login/loginerror.html[/form-error-page]
[/form-login-config]
[/login-config]

Simple form-based login does not require any extra code development on the server side. The j_security_check servlet used by WebSphere Application Server enforces only the name of the input fields that the developer should put in the custom Login Form. These fields are as follows:

* j_username should be the input field in which a user will type the user ID.
* j_password should be the input field into which the user will type the password.

The action required for the HTTP POST method is j_security_check. A simple HTML code for the custom Login Form is given in the following example:

[!-- ............... --]
[form method="post" action="/itsobank/j_security_check"]
[table width="80%"]
[tr]
[td width="20%" align="right"]Userid:[/td]
[td][input size="20" type="text" name="j_username" maxlength="25"][/td]
[/tr]
[tr]
[td align="right"]Password:[/td]
[td][input size="20" type="password" name="j_password" maxlength="25"][/td]
[/tr]
[tr]
[td][/td]
[td][input type="submit" name="action" value="Login"] [input type="reset" name="reset" value="Clear"][/td]
[/tr]
[/table]
[/form]
[!-- ............... --]

Form-based logout

One of the IBM’s extensions to the J2EE Specification is the form-based logout. After logging out, the user is required to re-authenticate to have access to protected resources again. This logout form can be on any page with calling a POST action on the ibm_security_logout servlet. This form must exist within the same Web application to which the user gets redirected after logging out.

[form method="post" action="ibm_security_logout" name="logout"]
[input type="submit" name="logout" value="Logout"]
[input type="hidden" name="logoutExitPage" value="/login/login.html"]
[/form]

2 comments:

eniac said...

hi. now, i have to modified the old system. this system is written by using oracle 9i JDeveloper. and parameter (user name and password) are fixed in the web.xml . However i change the user name and password in web.xml, the orginal user name and password is restored when embedded server run. I would like to know how to change the user name and password and i would like to create log in page separately without fixing as parameter in web.xml. Thanks and Regards....eniac

Tom :L said...

How did you put userid/password in the web.xml? Usually I would define the user datasource as a separate xml file like, user-conf.xml, or a database or a LDAP. When using the xml file, I would have to restart the server to make any change effective. So for any non-demo purpose application, you would not choose the xml file. Hope it helps.