Form Authentication
Form authentication is another commonly used part of JAAS. In this process the user is typically presented with a web page containing a form asking for a username and password. This data is then submitted via POST to a URL containing the text "j_security_check", e.g. www.example.com/j_security_check . The credentials are checked on the server side and a session ID is returned to the client via a cookie. This authentication method is flexible in that a Java HTTP client such as Apache HTTP client can be used in place of a web-browser, e.g. in a desktop application, as long as the following standard steps are followed:
- Request a protected URL (i.e. secured via a security-constraint element) in web.xml (where the login-config element has specified an authentication method of "FORM").
- The server will return a redirect (302) to the security check URL mentioned above along with a cookie containing the session ID ("JSESSIONID=...").
- Send the username and password (encoded as form fields) along with the cookie via an HTTP POST to the security check URL.
- If authentication is successful, the server will send a 302 back to the original protected URL.
- Send a GET request to that URL, passing the session ID cookie (preferably assert that the response contains what you would expect from that original URL).
Additional assertions can be added to the above process.
Read more about this topic: Java Authentication And Authorization Service
Famous quotes containing the word form:
“You may go over the world and you will find that every form of religion which has breathed upon this earth has degraded women. There is not one which has not made her subject to man.”
—Elizabeth Cady Stanton (1815–1902)