25 May 2009

JSP/servlet authentication

You can define authentication in the web.xml deployment descriptor of a web application.

  1. Define roles
    User definition is web container dependent. 
  2. Define protected resources
    Take care:
    • Is only guaranteed for cookie based sessions
    • Does not apply to forward and include
  3. Define authentication method
    The authentication form is supposed to have a POST action called j_security_check and j_username and j_password input fields.
    Other HTTP authentication methods are
    • BASIC: clear text password (base64 encoded)
    • DIGEST: hashed password (works in Firefox and IE 7+)
    • CLIENT-CERT: mutual certified SSL