What is FORM based login and how do I use it? Also, what servlet containers support it?

Dieter Wimberger

Form based login is one of the four known web based login mechanisms. For completeness I list all of them with a description of their nature:

  1. HTTP Basic Authentication

    An authentication protocol defined within the HTTP protocol (and based on headers). It indicates the HTTP realm for which access is being negotiated and sends passwords with base64 encoding, therefore it is not very secure. (See RFC2068 for more information.)

  2. HTTP Digest Authentication

    Like HTTP Basic Authentication, but with the password transmitted in an encrypted form. It is more secure than Basic, but less then HTTPS Authentication which uses private keys. Yet it is not currently in widespread use.

  3. HTTPS Authentication (SSL Mutual Authentication)

    This security mechanism provides end user authentication using HTTPS (HTTP over SSL). It performs mutual (client & server) certificate based authentication with a set of different cipher suites.

  4. Form Based Login

    A standard HTML form (static, Servlet/JSP or script generated) for logging in. It can be associated with protection or user domains, and is used to authenticate previously unauthenticated users.
    The major advantage is that the look and feel of the login screen can be controlled (in comparison to the HTTP browsers' built in mechanisms).

To support 1., 3., and 4. of these authentication mechanisms is a requirement of the J2EE Specification (as of v1.2, Required Login Mechanisms). (HTTP Digest Authentication is not a requirement, but containers are encouraged to support it.)

You can also see section of the J2EE Specs. (User Authentication, Web Client) for more detailed descriptions of the mechanisms.

Thus any Servlet container that conforms to the J2EE Platform specification should support form based login.
To be more specific, the Servlet 2.2 Specification describes/specifies the same mechanisms in 11.5 including form based login in 11.5.3.

This section (11.5.3) describes in depth the nature, the requirements and the naming conventions of form based login and I suggest to take a look at it.

Here is a sample of a conforming HTML login form:

    <form method="POST" action="j_security_check">
      <input type="text" name="j_username">
      <input type="password" name="j_password">

Known Servlet containers that support FORM-based login are:

  • iPlanet Application Server
  • Tomcat (the reference implementation of the Java Servlet API)

URL Pointers:

  1. Java Servlet API Specification 2.2
  2. J2EE Platform Specification