Sun Java System Web Server 7.0 Developer's Guide to Java Web Applications

User Authentication by Servlets

Web Server supports the web-based login mechanisms required by the Java EE 1.4 specification :

The login-config element in the web.xml deployment descriptor file describes the authentication method used, the application's realm name displayed by the HTTP basic authentication, and the form login mechanisms attributes.

The login-config element syntax is as follows:

<!ELEMENT login-config (auth-method?,realm-name?,form-login-config?)>

Note –

The auth-method subelement of login-config is optional. However, but if it is not included, the server defaults to HTTP Basic Authentication, which is not very secure.

For more information about web.xml elements, see the Java Servlet 2.4 specification at

For more information on sun-web.xml elements, see Chapter 9, Deploying Web Applications.

HTTP Basic Authentication

HTTP basic authentication (RFC 2617) is supported by Sun Java System Web Server 7.0. Because passwords are sent with base64 encoding, this authentication type is not very secure. Use SSL or another equivalent transport encryption to protect the password during transmission.

SSL Mutual Authentication

SSL 3.0 and the means to perform mutual client/server certificate-based authentication is a Java EE 1.4 specification requirement. This security mechanism provides user authentication using HTTPS (HTTP over SSL). For more information, see Creating a Configuration in Sun Java System Web Server 7.0 Administrator’s Guide.

Form-Based Login

The login screen's look and feel cannot be controlled with the HTTP browsers built-in mechanisms. Java EE can to package a standard HTML or servlet JSP based form for logging in. The login form is associated with a web protection domain and is used to authenticate previously unauthenticated users.

Because passwords are sent unless protected by the underlying transport, this authentication type is not very secure. Use of SSL or another equivalent transport encryption to protect the password during transmission.

For the authentication to proceed appropriately, the login form action must always be j_security_check. For more information, see Chapter 4, Developing Servlets.

The following HTML sample shows how to program the form in an HTML page:

<form method="POST" action="j_security_check">
        <input type="text" name="j_username">
         <input type="password" name="j_password">


You can specify the parameter encoding for the form. For details, see parameter-encoding Element.