Verification of my login page

Hi,
I have created a jsp page named Login.jsp, here's the followings code:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <link type="text/css" rel="stylesheet" href="inc/style.css" > <title>login</title> </head> <body> <form method=post action="j_security_check"> <table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody> <!-- le début de la page --> <tr> <td colspan="3"> <!-- cellule contient 3 colonne --> <table align="center" border="0" cellpadding="0" cellspacing="0" width="65%"> <!-- tableau au center de largeur 65 % et les autres colonnes sont égaux et contient 2 lignes --> <tbody> <tr> <td > <img src="image/top_logo.png" height="63px"> </td></tr> </tbody> <tbody> <tr height="10px"> </tbody> </table> </td> </tr> <tr> <td colspan="3" height="135px"> <table align="center" border="0" cellpadding="0" cellspacing="0" width="40%"> <tbody> <tr> <td></td> <td colspan="6" align="center" style=" font-family:serif;font-size: 37px;" class="table" > <div align="center"> Authentication </div> </td> </tr> </tbody> </table> </td> </tr> <tr> <td height="100px"> </td> </tr> <tr> <td colspan="4"> <table border="0" align="center" width="65%" cellpadding="1" cellspacing="1"> <tbody> <tr > <td width="200px"></td> <td ><span style="font-family: serif;font-size: 20px" >Login:</span></td> <td><input type="text" name="j_username"></td> <td width="150px"></td> </tr> <tr> <td height="10px"></td> </tr> <tr> <td width="200px"></td> <td><span style="font-family: serif;font-size: 20px" >Password:</span></td> <td> <input type="password" name="j_password"></td> <td width="150px"></td> </tr> </tbody> </table> </td> </tr> <tr> <td align="center" height="100px"> <input style="width: 85px" type="submit" value="Confirm" class="login"> </td> </tr> </tbody> </table> </form> </body> </html>
is that the structure of my page is correct according to you?
i create a new folder below WebContent in my project, named "authentication" and i placed below home.jsp.
This page will display, if the login and password is correct.
Also, i change some thing in web.xml of project :
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>authentication</display-name> <security-constraint> <web-resource-collection> <web-resource-name>secured</web-resource-name> <url-pattern>/authentication/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>user</role-name> </security-role> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login_failure.jsp</form-error-page> </form-login-config> </login-config> </web-app>
When i enter "http://localhost:8080/Gestion_de_stock/authentication/home.jsp" many problem appears :
Firstly, the login page doesn't display with the style that i made in a css file "style.css"
Also, when i enter a correct login and password an error page display and a url i don't know where it comes from "http://localhost:8080/Gestion_de_stock/authentication/image/top_logo.png"
Would you please help me to find out my problem, and thank you in advance :)

You have designed and configured a container-managed login.

Container-managed security, as its name implies is handled by the container (web server), not by the web application itself. All the web application does is indicate to the server when authentication is required, what transport channel (BASIC or FORM) will be used to demand credentials, and in the case of FORM-based login, the templates for the login and loginfail forms.

This means:

1. You cannot direct a user directly to the login page via a URL. In other words, "http://www.myserver.com/myapp/login.jsp" will not work properly. It will present the login page, but that page will not be connected to the container's login process, and therefore won't work. To get a login page, the user has to request one of the protected URLs that you defined in the WEB-INF/web.xml file. This will cause the server to check to see if the user is logged in, run the user through the login process, if needed, then present whatever page would normally come from requesting that protected URL.

2. You cannot write special login logic, provide additional login parameters, or expect special post-login or login-fail actions. The login process is handled by a special plugin (Realm) to the server, using a common interface method (authenticate), which accepts 2 parameters (user ID and password) from the container (obtained from the login/loginfail form) and returns a OK/failed status. To repeat, then, no application logic is involved in the container login process.

I think you understood this, based on your examples, but I like to repeat it often, because a lot of people do not.

You do have one problem, however. You have defined a rule that requires authentication on ALL URLs, including the CSS and image URLs on your login/loginfail pages. In other words, to retrieve and display the logo on the login page, you have to already be logged in. In theory, this should have caused some sort of recursion problem, but in reality what I've seen is basically what you reported.

I prefer to keep a public "hello" page myself, so that users can tell what site they've landed on and general news can be displayed. From there I can direct them to the secured part of the site.

And, of course, I exempt the CSS and image URLs from being secured.

Thank you for your reply,
I just want to know ho can i solve my problem, i read your reply many times and i don't know how can i solve my problem

When i put my jsp page login.jsp without style, and a simple page home.jsp it's work very well
login.jsp:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Insert title here</title> </head> <body> <form method=post action="j_security_check"> <p> <span>Username:</span> <input type="text" name="j_username"> </p> <p> <span>Password:</span> <input type="password" name="j_password"> </p> <p> <input type="submit" value="Login"> </p> </form> </body> </html>
authentication.jsp:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Insert title here</title> </head> <body> Hello <%= request.getUserPrincipal().getName().toString() %> You are able to view this page because you are authenticated user. </body> </html>
and the web.xml remains the same, i'm stuck :'(

I want to thank you for your reply,
I would like to know what needs to be changed to make it work,please
and thank you in advance :)

I understood what you said, but i don't know how can i applied it :(

https://coderanch.com/t/630155/Servlets/java/url-pattern-url-pattern-web

Same basic problem. Trying to match too many URLs in one pattern.

Thank you for your reply :)
the authetication work now, i just replace \* by \home.jsp in web.xml.
But, why the login page displaied without style defined in style.css??

Use a server-relative path to include the CSS file: https://coderanch.com/how-to/java/TypesOfPaths

Thank you very much,
It work now, i just replace href="/inc/style.css" by href="<%=request.getContextPath()%>/inc/style.css"

Sigh. You should be using the EL rather than scriptlet expressions.

Where should i use the EL expression? I didn't use code java here !
I have another problem, when i want to logout,
<div class="wg-button"> <center> <a style="position:relative" href="authentication/authentication.jsp" title="Logout"> <img src="image/bouton.png" alt=""> <span style="position: absolute;right:10px;top:11px;width:180px "> <font color="white"> Logout </font> </span> </a> </center> </div>
The authentication page displayed and not the login page.
Andi if i change the href to "Login.jsp", when i want to login another time an error appears.

Where should i use the EL expression? I didn't use code java here !

You do here: <%=request.getContextPath()%>. You can use a functionally equivalent EL expression instead of scriptlets.

Do you mean this expression ?
href="${pageContext.request.contextPath}/inc/style.css"

Yes.

What about the other question ?

What is the other question? And, you should not be using the deprecated font tag.

I have another problem, when i want to logout,
<div class="wg-button"> <center> <a style="position:relative" href="authentication/authentication.jsp" title="Logout"> <img src="image/bouton.png" alt=""> <span style="position: absolute;right:10px;top:11px;width:180px "> <font color="white"> Logout </font> </span> </a> </center> </div>
The authentication page displayed and not the login page.
Andi if i change the href to "Login.jsp", when i want to login another time an error appears.