Authentication

Authentication is the process of verifying the identity of a user. This is usually done using a user name and a password. This process compares the provided user name and password with those stored in the database of an authentication server.

There are four types of authentication as follows:

1. BASIC: It transmits data over the network and hence is not much secure.
2. DIGEST: It transmits data in the hashed form.
3. CLIENT-CERT: It transmits data in the form of public key certificates. It is a secure method but is rarely used, as it requires that consumers have certificates.
4. FORM: It transmits data without any encryption and is not secure. Users can develop their own custom login form.

BASIC authentication is an authentication method that transmits username and password over the network in the form of Base64 encoding. It is very easy to set up and is supported by all browsers. However, it is not very secure, as the username and password are not encrypted. Moreover, the form looks ugly, as it cannot be customized.

The steps followed in the Basic authentication are as follows:

• A client sends a request for a protected resource.
• The web server returns a dialog box that requests the user name and password.
• The client submits the user name and password to the server.
• The server validates the name and password and, if successful, returns the requested resource.

DIGEST authentication is an authentication method that transmits data in encrypted form. It is secure, as passwords are encrypted and cannot be determined by sniffing network traffic. However, this authentication method is not supported by all browsers.

CLIENT-CERT authentication uses a public key certificate to authenticate a user. It uses HTTP over SSL, in which the server and the client authenticate each other with public key certificates. This form of authentication is more secure than the BASIC and FORM-based authentication methods. However, it is costly to implement, as it requires the user to configure SSL support on the server and to set up the public key certificate.

Form-based authentication allows users to create their own custom forms. It requires session tracking for the authentication, so that the container may use the login form.

The following steps are required in form-based authentication:

1. Create a login form: It requires three elements, namely j_security_check, j_username, and j_password. The syntax of form-based authentication is as follows:
   <form method=”POST” action=”j_security_check”>
   <input type=”text” name=”j_username”>
   <input type=”password” name=”j_password”>
   </form>
2. Create an error page: It specifies an error message when an incorrect user information is provided.
3. Declare the login form and error page in the deployment descriptor: The login and the error pages are declared in the deployment descriptor inside the <login-config> element as follows:

   <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
         <form-login-page>/login.jsp</form-login-page>
         <form-error-page>/errorpage.html</form-error-page>
      </form-login-config>
   </login-config>

The entries for the login form in a form-based authentication are as follows:

• j_security_check: This field declares the action of the login form as follows: <form method=”POST” action=”j_security_check”>
• j_username: The container uses this field to store the username as follows:
  <input type=”text” name=”j_username”>
• j_password: The container uses this field to store the password of the user as follows:
  <input type=”password” name=”j_password”>

• Previous Entry: Everything you want to know about the CX310-066 exam
• Next Entry: SCJP CX310-055 Short Notes: Exam passing tips