NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide
Security Considerations
NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006
8-6
Form-Based Authentication
</form-error-page>
</form-login-config>
</login-config>
The login form must contain HTML fields for entering a username and a password, and
these fields must be named as j_username and j_password, respectively.
For the form-based authentication to function properly, you must always set the
action attribute in the login form to j_security_check. The following is a sample
form coding for an HTML logon page:
<form method=”POST” action=”j_security_check”>
<input type=”text” name=”j_username”>
<input type=”password” name=”j_password”>
</form>
The following sequence of steps occur when a user attempts to access a protected
web resource using form-based authentication:
1. The login form associated with the security constraint is sent to the web browser
and the URL path triggering the authentication is stored by the NSJSP container.
2. The user is prompted to enter the username and password in the login form.
3. The web browser sends the login form to the server.
4. The NSJSP container attempts to authenticate the user using the information from
the form:
a. If authentication fails, the container returns an error page.
b. If authentication succeeds, the authenticated user’s credential is checked to
verify if it has been assigned a role, which is authorized to access the web
resource.
5. If the user is authorized, the web browser is redirected to the web resource using
the stored URL path in the NSJSP container.
Similar to the HTTP basic authentication method, the form-based authentication
method also lacks security because the password is transmitted as plain text. A
secured transport layer, such as SSL, can ease some of these concerns.
Figure 8-4 shows the logon page for a form-based authentication.