Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Usage of FORM login-config

 
Piotr Nowicki
Ranch Hand
Posts: 611
1
IntelliJ IDE Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Howdy Ranchers!

Just finished chapter 12 of HF book and I just wonder... The FORM login authentication type looks nice - you don't have to focus on checking user credentials or roles but just use the container to do the dirty work for you. As an added value, you are sure that if user logs in with wrong credentials, he will be redirected to the defined error page.

My question is... Is this solution widely used in the real-world?
There are many frameworks like Struts, GWT, SmartGWT, etc. where some of them doesn't seem to work on simple login-page, error-page basis. There are pop-ups, there are some asynchronous calls, even Web Services login requests.

How does in this world, the form-login-config finds its place? Or maybe it doesn't and it's just a relict from the past? Is it widely used and/or can it be used when the application is using something else than just plain page for login and error?

Cheers!
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2536
113
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Pedro,

My question is... Is this solution widely used in the real-world?

No. The main reason why it is not used a lot is because both the username and password are not encrypted from client to server. This makes it almost unusable in all practical situations.

There is one exception to the previous statement. Form login is often combined with SSL. The username and password are then encrypted in the SSL layer. You will see this kind of protecting in quite a number of web-apps.

Rgeards,
Frits
 
Piotr Nowicki
Ranch Hand
Posts: 611
1
IntelliJ IDE Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Howdy Frits!

There is one exception to the previous statement. Form login is often combined with SSL. The username and password are then encrypted in the SSL layer. You will see this kind of protecting in quite a number of web-apps.


Ok, so as you said - you can use transport-guarantee which will force to use something to make sure the transport is confidential (like SSL), so... if this is achievable, why it's still not widely used?

And if the form-login-config isn't used, maybe just the container managed credentials mechanism is? If i'm not using the container authentication, can I still use container authorization (security-auth, auth-constraints, etc.)?

Like this: I would like the container to be aware of company LDAP. I also want to use LDAP roles and usernames in web.xml, i.e. to prevent some users from accessing particular servlets, but because of the application requirements I cannot use form-login-config. Is it still possible?

Cheers!
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2536
113
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, so as you said - you can use transport-guarantee which will force to use something to make sure the transport is confidential (like SSL), so... if this is achievable, why it's still not widely used?

Well, authentication from client to server is no big deal, it just involves sending a username and password over a (secure) line. You can easily program that part of your web-application yourself.

And if the form-login-config isn't used, maybe just the container managed credentials mechanism is? If i'm not using the container authentication, can I still use container authorization (security-auth, auth-constraints, etc.)?

Yes, you can by using the <secure-role-ref> element of the web.xml. You bind the programmatic roles (the ones you use in a Servlet) to the declarative role (the ones you define in a <security-role>). However you should always ask yourself if programmatic security adds something extra to the declarative security.

Like this: I would like the container to be aware of company LDAP. I also want to use LDAP roles and usernames in web.xml, i.e. to prevent some users from accessing particular servlets, but because of the application requirements I cannot use form-login-config. Is it still possible?

Watch out: binding users to roles is note done in the web.xml. You only define the roles that are used in the web-application. The user-to-role binding is something server specific. Even with tomcat you can connect to a LDAP server for authentication (user to role mapping).

Regards,
Frits
 
Piotr Nowicki
Ranch Hand
Posts: 611
1
IntelliJ IDE Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Frits for your time :-)
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic