Java Reference
In-Depth Information
Switching to FORM-based security
FORM-based authentication lets developers customize the authentication user interface, ad-
apting it, for example, to your company's standards. Configuring it in your application re-
quires you to basically modify just the
login-config
stanza of the security section of
your
web.xml
file. Within it, we will define a login landing page (
login.xhtml
) and
an error page (
error.xhtml
), in case the login fails. The code snippet for it is as fol-
lows:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/error.xhtml</form-error-page>
</form-login-config>
</login-config>
The login form must contain fields to enter a username and password. These fields must be
named
j_username
and
j_password
, respectively. The authentication form should
post these values to the
j_security_check
logical name. All these names beginning
with
j_
are standardized by the Java Servlet specification—we just need to follow the con-
vention in order to let the automatic mechanisms work. Here's a simple
login.xhtml
page, which can be used to pass the required values to the security system:
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/
xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://xmlns.jcp.org/jsf/html">
<head>
<title>FORM based Login</title>
</head>
<body>
<form method="post" action="j_security_check"
name="loginForm">
<h:panelGrid columns="2">
