Sun Java System Web Server 6.1 SP6 Programmer's Guide to Web Applications

Form-Based Login

The login screen's look and feel cannot be controlled with the HTTP browser's built-in mechanisms. J2SE introduces the ability to package a standard HTML or servlet/JSP based form for logging in. The login form is associated with a web protection domain (an HTTP realm) and is used to authenticate previously unauthenticated users.

Because passwords are sent in the clear (unless protected by the underlying transport), this authentication type is not very secure. Use of SSL or another equivalent transport encryption is recommended to protect the password during transmission.

For the authentication to proceed appropriately, the login form action must always be j_security_check.

The following is an HTML sample showing how to program the form in an HTML page:

<form method="POST" action="j_security_check">
        <input type="text" name="j_username">
         <input type="password" name="j_password">


You can specify the parameter encoding for the form. For details, see parameter-encoding.