At request time, the server automatically
prompts users for usernames and passwords when they try to access
restricted resources, automatically checks the results against a predefined
set of usernames and passwords, and automatically keeps
track of which users have previously been authenticated. This process
is completely transparent to the servlets and JSP pages.
To safeguard network data, you use the deployment descriptor to
stipulate that certain URLs should only be accessible with SSL. If
users try to use a regular HTTP connection to access one of these
URLs, the server automatically redirects them to the HTTPS (SSL)
equivalent.
2. Programmatic security. With programmatic security, the topic of
the next chapter, protected servlets and JSP pages at least partially
manage their own security.
To prevent unauthorized access, each servlet or JSP page must
either authenticate the user or verify that the user has been authenticated
previously.
To safeguard network data, each servlet or JSP page has to check
the network protocol used to access it. If users try to use a regular
HTTP connection to access one of these URLs, the servlet or JSP
page must manually redirect them to the HTTPS (SSL) equivalent.
3.1 Form-Based Authentication
The most common type of declarative security uses regular HTML forms. The developer
uses the deployment descriptor to identify the protected resources and to designate
a page that has a form to collect usernames and passwords.
Pages:
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153