Kevin P Smith wrote:1: Plain text! Now maybe this isn't an issue at all, but I have always encrypted (MessageDigest) passwords. I can't see a way to do this with j_security_check, in fact it seems to work with clear text passwords.
There are two parts to this: encryption in transport (i.e., using DIGEST auth instead of BASIC auth) and encryption in storage (storing digested passwords in the DB or wherever instead of cleartext passwords). The mechanics will differ between servlet containers, but for Tomcat both are discussed in
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Digested_Passwords
Going straight to a login page. j_security_checker is great for attempting to access a secure page, but if the user goes to a login form?
That's not how servlet security is meant to work - the login page is only used en route to a protected page, not as an entry page itself. So there should not be a link to it anywhere. I'm not sure what happens if a user goes there directly - he may be redirected to the home page after login.