4 authentication methods to identify a user with JAAS over HTTP

  • basic authentication : the popup asking for login/password, not encrypting anything :-C
  • digest-authentication : same as basic, with password encryption. Not a really nice user experience (login popups remind of the 90's :( )
  • certificate based authentication : HTTPS, using SSL, secured socket layer. first the usual PKI handshake (asymetric encryption) then the usual symetric encryption for performance. (A variant of this authentication is also managed for installations providing users PKI certificates, chip card format for example)
  • form based authentication, the usual HTML form...

How do i do that?

-> form based authentication, most often used :

  • add a security constraint and a security role in web.xml :
 <security-constraint>  
     <web-resource-collection>  
       <web-resource-name>All JSP direct access</web-resource-name>  
       <url-pattern>private/*</url-pattern>  
       <http-method>POST</http-method>  
       <http-method>GET</http-method>  
     </web-resource-collection>  
     <auth-constraint>  
       <description>  
        No Access  
       </description>  
       <role-name>restricted</role-name>  
      </auth-constraint>  
   </security-constraint> 


   <security-role>  
     <description>NO Access</description>  
     <role-name>restricted</role-name>  
   </security-role>
  • edit the web.xml file to add a login-config block :
 <login-config>  
   <auth-method>FORM</auth-method>  
   <realm-name>JAASDBRealm</realm-name>  
   <form-login-config>  
     <form-login-page>/blog.html</form-login-page>  
     <form-error-page>/blog.html</form-error-page>  
   </form-login-config>  
 </login-config>

Then config your JAAS realm. Done. ;-)
-> Seriously. I'll complete the article later.

http://delicious.com/nicobeez/security