Form Based Authentication in JSP using Tomcat

By Arvind Rai, January 10, 2015
JSP & Servlet
Java EE provides form based authentication for web application in which a login form is displayed. The security is based on role. We can define role and use credentials in tomcat-users.xml. web.xml configures <security-constraint>, <login-config> and <security-role>. To create login form we must use j_security_check action in the form tag. Username and password must be named as j_username and j_password. Find the example in which we are using form based authentication with some JSP files.

Create Role and User in tomcat-users.xml

We can create role and user in tomcat. Go to tomcat_home/conf/tomcat-users.xml. Add the role and user.
tomcat-users.xml 
 <role rolename="tomcat"/>
  <role rolename="role1"/>
  <role rolename="employee"/>
  <user username="concretepage" password="concretepage" roles="employee"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
Here we have created employee role and a user as username concretepage and password as concretepage.

<security-constraint>, <login-config> and <security-role> in web.xml

To configure security in web.xml, we need to add below tags .
<security-constraint>: This tag defines web resource collection in which URL pattern is defined. This is the URL pattern for which security will be applied and login page will be displayed.
<login-config>: This tag defines authentication method, realm name and form login configuration. In form login configuration, we need to define form-login-page and form-error-page.
<security-role>: This tag defines the security role. This role matches to role defined in tomcat-users.xml. 
 <!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
  <display-name>Login Demo Using j_security_check</display-name>
  <!--Defines Security Constraint -->
    <security-constraint>
        <display-name>JSP Demo Constraint</display-name>
        <web-resource-collection>
            <web-resource-name>cp</web-resource-name>
            <description/>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>employee</role-name>
        </auth-constraint>
    </security-constraint>
<!--Defines Login Config -->
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>file</realm-name>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
    </login-config>
<!--Defines Security Role -->
    <security-role>
        <description/>
        <role-name>employee</role-name>
    </security-role>
</web-app>

Login Form using j_security_check, j_username and j_password

To create a login form, we must use j_security_check, j_username and j_password. We need to define form action as j_security_check and username input field name must be j_username and password input field name must be j_password. Java EE defines j_security_check action for login form and in this way many different web application resources can be authenticated. Java EE expects username and password filed as j_username and j_password from login form. Find the login page.
login.jsp 
 <html>
  <head><title></title>
  </head>
  <body>
        <h2>Login Demo Using j_security_check</h2>
        <form name="loginForm" method="POST" action="j_security_check">
            <p>User name: <input type="text" name="j_username" size="20"/></p>
            <p>Password: <input type="password" size="20" name="j_password"/></p>
            <p>  <input type="submit" value="Submit"/></p>
        </form>       
   </body>
</html>
Find the success page.
index.jsp 
 <h1>You have successfully logged-in</h1>
<a href="logout.jsp" >Click to Logout </a>
Find the error page.
error.jsp 
 <html>
  <head><title>Login Error</title>
  </head>
  <body>
       <h3>Login Error</h3>   
       <a href="index.jsp">Click to Login Again</a>     
  </body>
</html>

How to logout

To logout, we need to just invalidate the session.
logout.jsp 
<%
session.invalidate();
response.sendRedirect("index.jsp");
%>

Project Structure in Eclipse

Find the project structure in eclipse.
Form Based Authentication in JSP using Tomcat

Output

Deploy the war file in tomcat and access the URL http://localhost:8080/concretepage-1/
Find the login page.
Form Based Authentication in JSP using Tomcat
Find the success page for correct username and password. In our demo this is concretepage/concretepage
Form Based Authentication in JSP using Tomcat
Find the error page for wrong username and password.
Form Based Authentication in JSP using Tomcat

Run Application

Find the steps to run the application.
1. Download the source code.
2. Go to the root directory using command prompt and run the command 
gradle clean build
3. WAR file will be created inside build/libs
4. Deploy the WAR in tomcat.
5. Go to tomcat_home/conf/tomcat-users.xml and add following lines 
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <role rolename="employee"/>
  <user username="concretepage" password="concretepage" roles="employee"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
6. Restart the tomcat and test the application with authentication 
user: concretepage 
pwd: concretepage

Download Source Code

form-based-authentication-in-jsp-using-tomcat.zip
POSTED BY
ARVIND RAI
ARVIND RAI
Popular Tutorials: Java 8 | Spring 5 | Angular | Android
RELATED POST










©2023 concretepage.com | Privacy Policy | Contact Us