Form login

As anticipated in the preceding paragraph, we can declare a form login page directly in the web.xml descriptor file. So automatically, when a login must be used, it compares in the browser. The configuration is very simple:

...
<servlet>
   <display-name>secure-form</display-name>
   <servlet-name>secure-form</servlet-name>
   <jsp-file>/view/secure-form.jsp</jsp-file>
</servlet>
<security-constraint>
   <web-resource-collection>
      <web-resource-name>SecurityConstraint</web-resource-name>
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <role-name>g1</role-name>
   </auth-constraint>
</security-constraint>
<login-config>
   <auth-method>FORM</auth-method>
   <realm-name>file</realm-name>
   <form-login-config>
      <form-login-page>/view/loginform.jsp</form-login-page>
      <form-error-page>/view/loginerror.jsp</form-error-page>
   </form-login-config>
</login-config>
<security-role>
   <role-name>g1</role-name>
</security-role>
...

We only need to declare the form through the form-login-config tag. In the form-login-page, we declare the JSP page used to login. In case of a login error, we can define a different JSP to show the error through the form-error-page tag. Here's an example of the login form in a JSP page:

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <title>Form-Based Login Page</title>
   </head>
   <body>
      <h1>Form-Based Login Page</h1>
      <form method="POST" action="j_security_check">
          Username: <input type="text" name="j_username"><p />
          Password: <input type="password" name="j_password" autocomplete="off"><p />
          <input type="submit" value="Submit" name="submitButton">  
          <input type="reset" value="Reset">
      </form>
   </body>
</html>

The important things of this page are the form declaration through the HTML form tag, the action of the form set with the default value j_security_check, the input text named j_username, and the password tag named j_password. These three values are managed by Undertow implementing the Java Authentication Authorization Service (JAAS) specifications.

JAAS specifies the directives for the login methods in Java. Through JAAS, this form knows what services call when the user executes the login.

The JAAS configuration can be seen in the WildFly default descriptor file, standalone.xml. Here's a piece:

 <security-domain name="other" cache-type="default">
    <authentication>
       <login-module code="Remoting" flag="optional">
          <module-option name="password-stacking" value="useFirstPass"/>
       </login-module>
       <login-module code="RealmDirect" flag="required">
          <module-option name="password-stacking" value="useFirstPass"/>
       </login-module>
    </authentication>
 </security-domain>

This configuration declares two login modules (Remoting and RealmDirect) that will be executed in sequence until the login is verified.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.183.1