Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop security > Develop extensions to the WebSphere security infrastructure

Customize web application login

We can create a form login page and an error page to authenticate a user. A web client or a browser can authenticate a user to a Web server using one of the following mechanisms:

• HTTP basic authentication: A web server requests the Web client to authenticate and the web client passes a user ID and a password in the HTTP header.
• HTTPS client authentication: This mechanism requires a user (web client) to possess a public key certificate. The web client sends the certificate to a web server that requests the client certificates. This authentication mechanism is strong and uses the Hypertext Transfer Protocol with SSL (HTTPS) protocol.
• Form-based Authentication: A developer controls the look and feel of the login screens using this authentication mechanism.

The Hypertext Transfer Protocol (HTTP) basic authentication transmits a user password from the web client to the web server in simple base64 encoding. Form-based authentication transmits a user password from the browser to the web server in plain text. Therefore, both HTTP basic authentication and form-based authentication are not very secure unless the HTTPS protocol is used.

The web application deployment descriptor contains information about which authentication mechanism to use. When form-based authentication is used, the deployment descriptor also contains entries for login and error pages. A login page can be either an HTML page or a JSP file. This login page is displayed on the web client side when a secured resource (servlet, JSP file, HTML page) is accessed from the application. On authentication failure, an error page is displayed. We can write login and error pages to suit the application needs and control the look and feel of these pages. During assembly of the application, an assembler can set the authentication mechanism for the application and set the login and error pages in the deployment descriptor.

Form login uses the servlet sendRedirect method, which has several implications for the user. The sendRedirect method is used twice during form login:

• The sendRedirect method initially displays the form login page in the web browser. It later redirects the web browser back to the originally requested protected page. The sendRedirect(String URL) method tells the web browser to use the HTTP GET request to get the page specified in the web address. If HTTP POST is the first request to a protected servlet or JSP file, and no previous authentication or login occurred, then HTTP POST is not delivered to the requested page. However, HTTP GET is delivered because form login uses the sendRedirect method, which behaves as an HTTP GET request that tries to display a requested page after a login occurs.

• Use HTTP POST, you might experience a scenario where an unprotected HTML form collects data from users and then posts this data to protected servlets or JSP files for processing, but the users are not logged in for the resource.

  To avoid this scenario, structure your web application or permissions so that users are forced to use a form login page before the application performs any HTTP POST actions to protected servlets or JSP files.

Procedure

1. Create a form login page with the required look and feel, including the required elements to perform form-based authentication.

2. Create an error page. We can program error pages to retry authentication or to display an appropriate error message.
3. Place the login page and error page in the web application archive (.war) file relative to the top directory. For example, if the login page is configured as /login.html in the deployment descriptor, place it in the top directory of the WAR file. An assembler can also perform this step using the assembly tool.
4. Create a form logout page and insert it to the application only when the web application requires a form-based authentication mechanism.

   By default the URL to the logout page should point to the host to which the request was made or its domain. Otherwise, a generic logout page is displayed. If point this URL to a different host, then set the com.ibm.websphere.security.logoutExitPageDomainList property in the security.xml file with a list of URLs that are allowed for the logout page. We can choose to allow any logout exit page to be used by setting the com.ibm.websphere.security.allowAnyLogoutExitPageHost property to a value of true. Setting this property to true might open the systems to a potential URL redirect attacks.

Example

We can use the WAS login facilities to implement and configure form login procedures. Use the following technologies for WAS and Java EE login functionality:

• Java EE form-based login
• Java EE servlet filter with login
• IBM extension: form-based login

The form login sample is part of the Technology Samples package. For more information on how to access the form login sample, see Accessing the samples. Form login usage

For the authentication to proceed appropriately, the action of the login form must always have the j_security_check action. The following example shows how to code the form into the HTML page:

<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="text" name="j_password">

<\form> 

Use the j_username input field to get the user name, and use the j_password input field to get the user password.

On receiving a request from a web client, the web server sends the configured form page to the client and preserves the original request. When the web server receives the completed form page from the web client, the server extracts the user name and password from the form and authenticates the user. On successful authentication, the web server redirects the call to the original request. If authentication fails, the web server redirects the call to the configured error page.

The following example depicts a login page in HTML (login.html):

<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">
<title> Security FVT Login Page
</title>
<body>
<h2>Form Login
</h2>
<FORM METHOD=POST ACTION="j_security_check">
<p>
<font size="2">
<strong> Enter user ID and password:
</strong>
</font>
<BR>
<strong> User ID </strong>
<input type="text" size="20" name="j_username">
<strong> Password
</strong>
<input type="password" size="20" name="j_password">
<BR>
<BR>
<font size="2">
<strong> And then click this button:
</strong>
</font>
<input type="submit" name="login" value="Login">
</p>

</form>
</body>
</html> 

The following example depicts an error page in a JSP file:

<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>A Form login authentication failure occurred
</head>
</title>
<body>
<H1>
<B>A Form login authentication failure occurred
</H1>
</B>
<P>Authentication may fail for one of many reasons. Some possibilities include:

<OL>
<LI>The user-id or password may be entered incorrectly; either misspelled or the wrong case was used.

<LI>The user-id or password does not exist, has expired, or has been disabled.

</OL>
</P>
</body>
</html> 

 After an assembler configures the web application to use form-based authentication, the deployment descriptor contains the login configuration as shown:

<login-config id="LoginConfig_1">
<auth-method>FORM
<auth-method>
<realm-name>Example Form-Based Authentication Area
</realm-name>
<form-login-config id="FormLoginConfig_1">
<form-login-page>/login.html
</form-login-page>
<form-error-page>/error.jsp
</form-error-page>
</form-login-config>
</login-config> 



 A sample web application archive
(WAR) file directory structure that shows login and error pages for the previous login configuration follows:

META-INF
     META-INF/MANIFEST.MF
     login.html
     error.jsp
     WEB-INF/
     WEB-INF/classes/
     WEB-INF/classes/aServlet.class


Form logout

 Form
logout is a mechanism to log out without having to close all Web-browser
sessions. After logging out of the form logout mechanism, access to a protected web resource requires re-authentication. This feature
is not required by J2EE specifications, but it is provided as an additional feature in WAS security.


 Suppose
to log out after logging into a web application and perform some actions. A form logout works in the following manner:
 

 The logout-form URI is specified in the web browser
and loads
the form.

 The user clicks Submit on the form to log out.

 The WAS security code logs the user out. During this process, the Application Server completes
the following processes:
 

 Clears the Lightweight Third Party
Authentication (LTPA) / single
sign-on (SSO) cookies

 Invalidates the HTTP session
 Removes
the user from the authentication cache


 
 Upon logout, the user is redirected to a logout exit page.


 Form
logout does not require any attributes in a deployment descriptor. The form-logout page is an HTML or a JSP file that is included with the web application. The form-logout
page is like most HTML forms except that like the form-login page, the form-logout page has a special post action. This post action is recognized by the web container, which dispatches the post action
to a special internal form-logout servlet. The post action in the form-logout page must be ibm_security_logout.


 We can specify a logout-exit page in the logout form and the exit page can represent an HTML or a JSP file within the same web application to which the user is redirected after logging out. Additionally, the logout-exit page permits a fully qualified URL in the form of http://hostname:port/URL.
The logout-exit page is specified as a parameter in the form-logout
page. If no logout-exit page is specified, a default logout HTML message is returned to the user.


 Here is a sample form logout HTML
form. This form configures the logout-exit page to redirect the user back to the login page after logout.

<!DOCTYPE HTML PUBliC "-//W3C/DTD HTML 4.0 Transitional//EN">
<html>
<META HTTP-EQUIV = "Pragma" CONTENT="no-cache">
<title>Logout Page
</title>
<body>
<h2>Sample Form Logout
</h2>
<FORM METHOD=POST ACTION="ibm_security_logout" NAME="logout">
<p>
<BR>
<BR>
<font size="2">
<strong> Click this button to log out:
</strong>
</font>
<input type="submit" name="logout" value="Logout">
<INPUT TYPE="HIDDEN" name="logoutExitPage" VALUE="/login.html">
</p>
</form>
</body>
</html> 




 
What to do next 
After developing login and error pages, add them to the Web application. Use the assembly tool to configure an authentication mechanism and insert the developed login page and error page in the deployment descriptor of the application.










 
Related



Develop servlet filters for form login processing










Web component security




Single sign-on for HTTP requests using SPNEGO web authentication








Samples documentation




Create a single sign-on for HTTP requests using SPNEGO Web authentication




Develop extensions to the WebSphere security infrastructure



 
Related



Security: Resources for learning

















 


 

  



+
 

  
Search Tips   |    
Advanced Search