On the previous page we configured BASIC authentication, although easy to setup it is not customisable. However, FORM based security is more customisable as we provide the login page and also the login failure page. In order to continue we need to add two more files to the web application, we will call them login.jsp and login-fail.jsp.
+ login
| + login.jsp
| + login-fail.jsp
Form based security is configured with a login page and a page to display when the login failed, both of these pages should contain a form that submits to an action of j_security_check; which contain fields j_username and j_password for user and password. To be clear, tomcat gets a request to render a secure page, at this point it instead returns our login page. Here the users enters the details and submits the form (to the special URL above), at this point if successful they are redirected to the originally requested URL.
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head><title>Login</title></head>
<body>
<h1>Please login</h1>
<form action="j_security_check" method="post" name="loginForm">
<table>
<tr>
<td>Name:</td>
<td><input type="text" name="j_username" size="20"/> </td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="j_password" size="20"/></td>
</tr>
<tr>
<td colspan="2">
<input type="submit" value="Login"/>
</td>
</tr>
</table>
</form>
</body>
</html>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head><title>Login</title></head>
<body>
<h1>Login failed!</h1>
<p style="color:red;">
Your login attempt was not accepted by the server,
please check your username and password.
</p>
<form action="j_security_check" method="post" name="loginForm">
<table>
<tr>
<td>Name:</td>
<td><input type="text" name="j_username" size="20"/> </td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="j_password" size="20"/></td>
</tr>
<tr>
<td colspan="2">
<input type="submit" value="Login"/>
</td>
</tr>
</table>
</form>
</body>
</html>
We have not yet modified web.xml, so the next step is to change web.xml to use FORM based authentication. To do this we need to change the login-config section as follows:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<security-role>
<role-name>manager</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>management pages</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<url-pattern>/mixed/secure3.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/login.jsp</form-login-page>
<form-error-page>/login/login-fail.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>