When choosing among the different types of authentication mechanismsoffered by J2EE Web containers, form-based authentication is almost alwaysselected ahead of its alternatives: HTTP basic authentication and HTTPSclient authentication. However, beneath the customizable user interface,form-based authentication presents several challenges to architects lookingfor a robust enterprise authentication solution.
These challenges often manifest themselves as login-page access errorsthat arise when applications look to extend the concept of protectedresources upon which form-based authentication is predicated. This can occurwhen a system exhibits requirements that are considered fairly common for anenterprise application, such as:
In both cases, form-based authentication alone will not be able tosatisfy the system requirements.
Available Options
There are three solutions that are most frequently recommended byapplication architects looking to satisfy either of the aforementionedrequirements. The first and most commonly suggested one is to build acustom, servlet-based authentication mechanism. This solution, althoughrobust and well documented, fails to leverage the infrastructure provided bycontainer-managed security and requires that the authentication mechanism beimplemented programmatically. The second solution is to subclass orinterface directly with the authentication APIs provided by the Webcontainer - such as Tomcat's AuthenticatorBase class. Such a solution canonly be recommended to seasoned Java programmers and introduces a dependencyon a particular Web container's internal APIs.
The third solution - and the topic of this article - is the extension ofthe existing J2EE form-based authentication mechanism to satisfy theserequirements. This solution will enable an application to overcome some ofthe most commonly encountered form-based authentication hurdles withoutsacrificing the utility of the Web container's preexisting authenticationcapabilities or introducing Web container dependencies.
Form-Based Authentication
Before launching into a discussion on extending form-basedauthentication, it's important to first understand what form-basedauthentication is and is not. Please note that although a brief descriptionof form-based authentication is provided here, more detailed descriptionsand set-up instructions can be found in the references section at the end ofthis article.
Form-based authentication is, at its core, a Java-specific,container-implemented authentication mechanism that allows the look and feelof the login screen to be customized. The login is performed via a form thatmust contain two fields for entering a username and a password, j_usernameand j_password, respectively, and a special container-recognized action -j_security_check.
