Java Web Application Security – Part Two, Form Based Authentication

In Part One of this series on Java Security, we made our “add-new-book.jsp” page accessible only to those logged in as administrators. At present, we’re using so-called “BASIC Authentication” which in essence is asking the browser to handle the login challenge.

This is acceptable in some applications, but in general it is rather weak. The login box presented by the browser is very basic. Let’s look at how it looks on Firefox first.

Basic but functional. Particularly cute is the challenge: “The site says ‘Please log in'”. Recall that ‘Please log in’ was the string we used in the <realm-name>. Yet Google Chrome presents our <realm-name> differently:

Ugly. BASIC Authentication is ok for quick and dirty apps, but we can do better. We’ll now upgrade to “Form Based Authentication”. To do this, we provide a JSP page with a username/password box.

Step 1: Write the Login Form

I won’t bother writing a pretty form – I’ll leave it to you to make it look gorgeous.

File: login.jsp

&lt;h1&gt;Please Login&lt;/h1&gt;

&lt;form method=&quot;post&quot; action=&quot;j_security_check&quot;&gt;
 &lt;p&gt;&lt;label&gt;Username:&lt;/label&gt; &lt;input type=&quot;text&quot; name=&quot;j_username&quot;/&gt;&lt;/p&gt;
 &lt;p&gt;&lt;label&gt;Password:&lt;/label&gt; &lt;input type=&quot;password&quot; name=&quot;j_password&quot;/&gt;&lt;/p&gt;
 
 &lt;input type=&quot;submit&quot; value=&quot;Login&quot;/&gt;
&lt;/form&gt;

Note firstly the name of the action – j_security_check. I haven’t made this name up – it’s a part of the Java Web standard, and is a predefined servlet. It is responsible for performing the authentication check.

Also part of the standard are the two parameters that the security check servlet demands – j_username and j_password.

Now the form is built, we need one further JSP (or HTML) page. If the user fails to login correctly, we need to tell them they have failed, so we need a “failed login” page.

File: failed-login.jsp

&lt;h1&gt;Sorry, please try again&lt;/h1&gt;

Again, I’ll leave it to you to make this page look good!

Step 2: Configure

We now need to upgrade our web.xml to point to our form and failure page. As always, the XML is a bit verbose but routine…

File: web.xml

&lt;login-config&gt;
   &lt;auth-method&gt;FORM&lt;/auth-method&gt;
   &lt;form-login-config&gt;
      &lt;form-login-page&gt;/login.jsp&lt;/form-login-page&gt;
      &lt;form-error-page&gt;/failed-login.jsp&lt;/form-error-page&gt;
   &lt;/form-login-config&gt;
&lt;/login-config&gt;

Don’t forget to remove your existing <login-config> with the BASIC <auth-method>.

Step 3: Test

The most important thing to remember is that we don’t need to navigate to the login page directly. As before, we try to navigate to the “add-new-book.jsp” page, and the server now knows that before access is allowed, the login.jsp page must be presented first.

So let’s deploy and see what happens – the screenshot shows what happens when we navigate to “add-new-book.jsp”.

Notice that the URL in the browser bar is the name of the target page, even though it is actually login.jsp that has been presented.

And after we type invalid credentials into the form…

So, thanks to the predefined j_security_check servlet, you can get a reasonable security system up and running in a Java Web Application without writing a single line of code. Remember that this is all part of the standard and will work on any server you choose to use.

At the moment, our usernames and passwords are hardcoded into a file on Tomcat. This is fine for development but we need better for production.

There are actually many different ways you can authenticate users – using single sign on, Facebook Authentication, OpenID and so on, but the most common approach at first would be to provide a database table of usernames and passwords.

I could talk in detail about how to do this, but it is specific to your application server and it is fairly well documented by most servers.

If you are using Tomcat, then the documentation for setting up your table is available here

Don’t be put off by the term “Realm”. A Realm is just a “strategy for authenticating users”.

2 thoughts on “Java Web Application Security – Part Two, Form Based Authentication”

  1. Container org.glassfish.webservices.JAXWSContainer@14fee7 doesn't support class com.sun.xml.ws.api.server.Module

    I gate this error message when am try to test simple SAOP webservice, I am using glassfish4 , i am using the code you put on the course site

  2. Hi, we've stopped supporting Glassfish now due to exactly these kinds of problems. Our courses now all use either straight Tomcat (preferred) or if using EJB, we're using WildFly.

    There's a StackOverflow post referencing this here: https://stackoverflow.com/questions/24135633/javaee-web-service-deployed-successfully-but-tester-is-not-working.

    I notice from the screenshots in the post above that this is just a warning?

    I'm afraid that's the best I can offer here, it was a very good day for me when I left Glassfish behind.

Leave a Reply to Richard Chesterwood Cancel reply

Your email address will not be published. Required fields are marked *