When the deployment container gets a request for a resource that is protected by the web-tier declarative security-constraint, it must evaluate the credentials of the user against the agent realm to ensure that only authorized requests go through. In order to process such a request, the deployment container requires the user to sign on using the specified form login page as mentioned in the form-login-config element of the web.xml descriptor. Based on the specification of the FORM authentication mechanism, the user must submit a valid user name as j_username and a valid password as j_password to the special URI j_security_check using the HTTP POST method of form submission.
By default, the content that the agent sends to the client browser on intercepting a request for the form login page is read from the file called FormLoginContent.txt located in the locale directory of the agent installation. This file contains the following HTML code:
<html> <head> <title>Security Check</title> </head> <body onLoad="document.security_check_form.submit()"> <form name="security_check_form" action="j_security_check" method="POST"> <input type="hidden" value="am.filter.j_username" name="j_username"> <input type="hidden" value="am.filter.j_password" name="j_password"> </form> </body> </html>
Before the agent streams out the contents of this file, it replaces all occurrences of the string am.filter.j_username by the appropriate user name. Similarly, all occurrences of the string am.filter.j_password are replaced by a temporary encrypted string that acts as a one-time password for the user.