The web-based login mechanisms required by the J2SE 1.3 specification are supported by the Sun Java System Web Server. These mechanisms are discussed in this section:
The login-config element in the web.xml deployment descriptor file describes the authentication method used, the application's realm name displayed by the HTTP basic authentication, and the form login mechanism's attributes.
The login-config element syntax is as follows:
<!ELEMENT login-config (auth-method?,realm-name?,form-login-config?)>
The auth-method subelement of login-config is officially optional, but if it is not included, the server defaults to HTTP Basic Authentication, which is not very secure.
For more information regarding sun-web.xml elements, see Chapter 7, Deploying Web Applications.
HTTP basic authentication (RFC 2617) is supported by the Sun Java System Web Server. Because passwords are sent with base64 encoding, this authentication type is not very secure. Use of SSL or another equivalent transport encryption is recommended to protect the password during transmission.
SSL 3.0 and the means to perform mutual (client/server) certificate-based authentication is a J2SE 1.3 specification requirement. This security mechanism provides user authentication using HTTPS (HTTP over SSL).
The Sun Java System Web Server SSL mutual authentication mechanism (also known as HTTPS authentication) supports the following cipher suites:
The login screen's look and feel cannot be controlled with the HTTP browser's built-in mechanisms. J2SE introduces the ability to package a standard HTML or servlet/JSP based form for logging in. The login form is associated with a web protection domain (an HTTP realm) and is used to authenticate previously unauthenticated users.
Because passwords are sent in the clear (unless protected by the underlying transport), this authentication type is not very secure. Use of SSL or another equivalent transport encryption is recommended to protect the password during transmission.
For the authentication to proceed appropriately, the login form action must always be j_security_check.
The following is an HTML sample showing how to program the form in an HTML page:
<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="password" name="j_password"> </form>
You can specify the parameter encoding for the form. For details, see parameter-encoding.