HTML and CSS Reference
Not ■ It is important to note that http basic authentication sends user names and passwords as Base64-encoded
text; while form-based authentication sends them as plain text, which means they are not secure, so they are
recommended to be used with secure transport mechanism (such as SSL). In order to configure SSL you need to check
the documentation of your application server because it is specific for every application server; for example in order to
configure SSL in tomcat 7, check the following link: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html .
Digest authentication authenticates a user based on a user name and a password (like basic HTTP authentication).
However, unlike basic authentication, digest authentication does not send user passwords over the network. Instead,
the client sends a one-way cryptographic hash of the password.
Configuring an Authentication Method
In order to configure the authentication method in your Java EE web application, you can use <login-config>
element as shown here in the web configuration file ( web.xml ):
As you may notice, <login-config> element has the following sub-elements:
<auth-method> element specifies the authentication mechanism for the web application.
It can be DIGEST, BASIC or FORM or NONE.
<realm-name> element specifies the realm name.
<form-login-config> element specifies the login and error pages. It should be used when the
form-based login is used.
Authorization defines the role-based access control that determines what are the parts of the system which are
allowed to be accessed by users. In Java EE, in order to achieve this, you can use <security-constraint> element in
the web.xml as shown in Listing 12-1.
Listing 12-1. Sample <security-constraint> Example
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns=" http://xmlns.jcp.org/xml/ns/javaee "