143Authenticating users

logged in yet. If he hasn’t, it challenges the user to provide credentials by sending an

HTTP 401 message back to the user’s browser.

This HTTP 401 message causes the browser to

display a dialog box prompting the user for his password. Figure 6.4 shows you a dialog box that a web browser would show when it receives the 401 message.

When the user fills out the username and password and submits the dialog box,

the browser encodes the information (using base64 encoding) and sends it back to the web container for authentication against the security framework—the response portion of the challenge-response.

Basic authentication is configured in the WEB-INF/web.xml file using the following

login-config declaration:

<login-config>

<auth-method>BASIC</auth-method> <realm-name>My Site</realm-name> </login-config>

The auth-method element specifies that basic authentication should be used. The

realm-name element specifies descriptive text that’s sent back to the client upon

requesting a secured URL. This field gives the client a name to associate with the

secured part of the website that he is trying to access. Most browsers display the value

of the realm namein the dialog box that’s shown to the user.

This strategy isn’t secure when used over insecure HTTP because the password sup-

plied to the dialog box isn’t encrypted before it’s sent to the server (base64 is an encoding algorithm, not an encryption algorithm). Basic authentication can be used

securely with a server that enables HTTPS. In this case, the user can rest assured that

the information that he’s submitting over the wire is encrypted using the server’s pub-

lic key. We show how to configure HTTPS in section 6.4.

Browsers often cache the username and password used to log into a website. Although this may be a convenience to the user, the browser often takes the liberty of automatically retransmitting the security credentials without prompting the user again. This practice makes it difficult to enable a logout feature for your application because the browser keeps logging the user back in.

Because of the inability to control logging out and the lack of integration with a site’s look and feel, we’ve rarely seen or used basic authentication in larger enterprise applications. That being said, basic authentication is simple to set up and is often used in smaller applications, particularly internal company applications with few users. To bypass the inability to log out and the lack of integration with a site’s look and feel, use form-based authentication. Let’s take a look.

Figure 6.4 A dialog box is shown when basic authentication is used and the user’s credentials are needed.

6.2.3 Form-based authentication

Most websites provide a login screen that integrates with the site’s look and feel rather than using the dialog box that basic authentication uses. With form-based authentica- tion, the container still determines whether or not the user has logged in; but instead of prompting the user for login information using a browser dialog box, an HTML page containing a login form is sent. The user fills out the HTML form and submits it back to the server. This HTML page can have any format as long as it has a form that has the required form elements, as shown in listing 6.2.

<form name="loginForm" method="post" action="j_security_check"> <table>

<tr>

<td>User Name:</td>

<td><input type="text" name="j_username"></td> </tr>

<tr>

<td>Password:</td>

<td><input type="password" name="j_password"></td> </tr>

<tr colspan="2" >

<td><input type="submit" value="login"></td> </tr>

</table> </form>

As shown in the code listing, the form’s action must contain the value

j_security_check and a text box for the username and password with the name attri-

butes set to j_username and j_password, respectively.

Form-based authentication can be enabled in web.xml using a login-config dec-

laration similar to the following:

<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/restricted/login.html</form-login-page> <form-error-page>/restricted/bad-login.html</form-error-page> </form-login-config> </login-config>

The value of auth-method must be equal to FORM to enable form-based authentication.

The form-login-config element is used to define the login page that the user should be forwarded to when he’s prompted for a password. It also allows you to define an error page that the user is forwarded to if the login is unsuccessful.

Like basic authentication, form-based authentication is also insecure when used

over HTTP, so you may want to enable secure HTTP as discussed in section 6.4.

We’ve talked about basic and form-based authentication, which are both insecure. Now let’s talk about digest authentication, which is similar to basic authentication, but is more secure.

Listing 6.2 An HTML form used for form-based authentication

145