Form Authentication
Form authentication is another commonly used part of JAAS. In this process the user is typically presented with a web page containing a form asking for a username and password. This data is then submitted via POST to a URL containing the text "j_security_check", e.g. www.example.com/j_security_check . The credentials are checked on the server side and a session ID is returned to the client via a cookie. This authentication method is flexible in that a Java HTTP client such as Apache HTTP client can be used in place of a web-browser, e.g. in a desktop application, as long as the following standard steps are followed:
- Request a protected URL (i.e. secured via a security-constraint element) in web.xml (where the login-config element has specified an authentication method of "FORM").
- The server will return a redirect (302) to the security check URL mentioned above along with a cookie containing the session ID ("JSESSIONID=...").
- Send the username and password (encoded as form fields) along with the cookie via an HTTP POST to the security check URL.
- If authentication is successful, the server will send a 302 back to the original protected URL.
- Send a GET request to that URL, passing the session ID cookie (preferably assert that the response contains what you would expect from that original URL).
Additional assertions can be added to the above process.
Read more about this topic: Java Authentication And Authorization Service
Famous quotes containing the word form:
“If any doubt has arisen as to me, my country [Virginia] will have my political creed in the form of a “Declaration &c.” which I was lately directed to draw. This will give decisive proof that my own sentiment concurred with the vote they instructed us to give.”
—Thomas Jefferson (1743–1826)