mtitek.com  MTI TEK
 Home |Big Data |Samples |Install |Tutorials |References |Books |Contact

Samples ▸ FORM Authentication (Tomcat)
  1. The application structure
  2. tomcat-users.xml
  3. web.xml
  4. index.jsp
  5. login.jsp
  6. error.jsp
  7. Test the FORM authentication


  1. The application structure
    |+ ${TOMCAT_HOME}
       |+ webapps
          |+ auth
             |+ WEB-INF
                |+ web.xml
             |+ jsp
                |+ index.jsp
                |+ login.jsp
                |+ error.jsp
    
  2. tomcat-users.xml
    You need to activate the users/roles that will be authorized to authenticate to the application.
    file: ${TOMCAT_HOME}/conf/tomcat-users.xml
    Example:
    <role rolename="tomcat"/>
    
    <user username="tomcat" password="tomcat" roles="tomcat"/>
    
  3. web.xml
    You need to configure your application so it will handle FORM Authentication.
    file: ${TOMCAT_HOME}/webapps/auth/WEB-INF/web.xml
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
        version="4.0"
        metadata-complete="true">
    
        <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
        </welcome-file-list>
    
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>Web Resource - Allow GET method</web-resource-name>
    
                <url-pattern>/jsp/*</url-pattern>
    
                <http-method>GET</http-method>
            </web-resource-collection>
    
            <auth-constraint>
                <role-name>tomcat</role-name>
            </auth-constraint>
        </security-constraint>
    
        <security-role>
            <role-name>tomcat</role-name>
        </security-role>
    
        <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/jsp/login.jsp</form-login-page>
                <form-error-page>/jsp/error.jsp</form-error-page>
            </form-login-config>
        </login-config>
    </web-app>
    
  4. index.jsp
    Here's a simple page that will show the connected user.
    file: ${TOMCAT_HOME}/webapps/auth/jsp/index.jsp
    <html>
      <head>
        <title>Index Page</title>
      </head>
    
      <body>
    User: <b><%= request.getRemoteUser() %>
      </body>
    </html>
    
  5. login.jsp
    Here's a simple page that will allow the user to authenticate to the application.
    file: ${TOMCAT_HOME}/webapps/auth/jsp/login.jsp
    <html>
    <head>
    <title>Login Page</title>
    </head>
    
    <body>
        <form method="POST" action='<%= response.encodeURL("j_security_check") %>'>
            <table cellspacing="5">
                <tr>
                    <th align="right">Username:</th>
                    <td align="left"><input type="text" name="j_username"></td>
                </tr>
    
                <tr>
                    <th align="right">Password:</th>
                    <td align="left"><input type="password" name="j_password"></td>
                </tr>
    
                <tr>
                    <td align="right"><input type="submit"></td>
                    <td align="left"><input type="reset"></td>
                </tr>
            </table>
        </form>
    </body>
    </html>
    
  6. error.jsp
    Here's a simple page that will show an error message if the authentication failed.
    file: ${TOMCAT_HOME}/webapps/auth/jsp/error.jsp
    <html>
    <head>
    <title>Error Page</title>
    </head>
    
    <body>
        Invalid username/password!
    </body>
    </html>
    
  7. Test the FORM authentication
    Browser: http://localhost:8080/auth/jsp/

    tomcat-form-authentication

    Here are the requests headers as it will be send by the browser, and the responses headers as it will be send back by Tomcat:

    First, the browser will send these headers as part of the request:
    GET /auth/jsp/ HTTP/1.1
    Host: localhost:8080
    ...
    
    Second, Tomcat will send back these headers as part of the response (200 OK):
    HTTP/1.1 200
    Set-Cookie: JSESSIONID=0092B8A71FDB1DAAA5C737582A201459;path=/abc/;HttpOnly
    ...
    
    When you fill your username/password and you submit the form, the browser will send these headers as part of the request:
    POST /auth/jsp/j_security_check;jsessionid=0092B8A71FDB1DAAA5C737582A201459 HTTP/1.1
    Host: localhost:8080
    Cookie: JSESSIONID=0092B8A71FDB1DAAA5C737582A201459
    j_username=tomcat&j_password=tomcat
    ...
    
    Then Tomcat will send back these headers as part of the response (200 OK + URL redirection):
    HTTP/1.1 200
    Location: http://localhost:8080/auth/jsp/
    ...
    
    Then the browser will send these headers as part of the request:
    GET /auth/jsp/ HTTP/1.1
    Host: localhost:8080
    Cookie: JSESSIONID=0092B8A71FDB1DAAA5C737582A201459
    ...
    
    And then Tomcat will send back these headers as part of the response (200 OK):
    HTTP/1.1 200
    Set-Cookie: JSESSIONID=89F7D6BB78A0059B4570B1DF49B496EB;path=/abc/;HttpOnly
    ...
    


© mtitek.com