The second approach we can use for authentication is to use Digest Authentication ,
this approach works much like basic authentication, with the exception that pass-
words are encrypted when sent to the server.
Digest authentication is not in widespread use, and many application
servers do not support it, therefore its use is discouraged.
The third approach we can use to authenticate users is to use a client side certificate .
These certificates are issued by certificate authorities such as Verisign or Thawte.
Client side certificates are essentially a file in the user's hard drive. The user's
browser needs to be configured to use the client side certificate for authentication.
Although applications using client-side certificates tend to be very secure, they are
not very common due to the expense and lack of convenience of issuing client-side
The fourth and most common approach to user authentication is to use form-based
authentication . When using this type of authentication, we need to develop a JSP or
HTML page used to collect user credentials. The advantages of this approach include
the ability to make login pages as elaborate or as simple as we wish; additionally, the
user name and password can be easily encrypted by setting up the page to use the
HTTPS (HTTP over SSL).
Implementing form-based authentication
To implement form-based authentication, a few steps need to be followed:
1. A login page needs to be created.
2. A login error page needs to be created, this page will be displayed when a
user enters incorrect credentials.
3. The web application needs to be configured to use a security realm for
Implementing the login page
The first step to follow to implement form-based authentication is to create a login
page. A fairly simple and "bare bones" login page is shown in the following listing:
<%@ page language="java" contentType="text/html; charset=UTF-8"
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"