Sun Java System Web Server 7.0 Update 2 Developer's Guide to Java Web Applications

Programmatic Login

Programmatic login enables a deployed Java EE application to invoke a login method. If the login is successful, a SecurityContext is established as if the client had authenticated using any of the conventional Java EE mechanisms.

Programmatic login is useful for application with unique needs that cannot be accommodated by any of the Java EE standard authentication mechanisms.

This section discusses the following topics:


The Web Server is not involved in how the login information (user name and password) is obtained by the deployed application. The application developer must ensure that the resulting system meets security requirements. If the application code reads the authentication information across the network, the application must to determine whether to trust the user.

Programmatic login enables the application developer to bypass the Web Server-supported authentication mechanisms and feed authentication data directly to the security service. While flexible, this capability should not be used without some understanding of security issues.

Because this mechanism bypasses the container-managed authentication process and sequence, the application developer must be very careful in making sure that authentication is established before accessing any restricted resources or methods. The application developer must also verify the status of the login attempt and to alter the behavior of the application accordingly.

The programmatic login state does not necessarily persist in sessions or participate in single sign-on.

Lazy authentication is not supported for programmatic login. If an access check is reached and the deployed application has not properly authenticated using the programmatic login method, access is denied immediately and the application might fail if not properly coded to account for this occurrence.

Granting Programmatic Login Permission

The ProgrammaticLoginPermission permission is required to invoke the programmatic login mechanism for an application. This permission is not granted by default to deployed applications because it is not a standard Java EE mechanism.

To grant the required permission to the application, add the following code to the instance_dir/config/server.policy file:

grant codeBase "file:jar_file_path" {

The jar_file_path is the path to the application's JAR file.

Note –

If the Security Manager is disabled, it is not mandatory to grant permission.

For more information about the server.policy file, see The server.policy File.

ProgrammaticLogin Class

The class enables a user to log in programmatically.

The login method for servlets or JSPs has the following signature:

public Boolean login(String user, String password, 
javax.servlet.http.HttpServletRequest request, 
javax.servlet.http.HttpServletResponse response)

This method performs the authentication. It returns true if the login succeeded, false if the login failed.