How do I use Form authentication with Tomcat?
Author: Deron Eriksson
Description: This tutorial describes the use of Form authentication with Tomcat.
Tutorial created using:
Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 1.5.1 || Tomcat 5.5.20
(Continued from page 2) Just for fun, let's delve in a little deeper by monitoring the TCP/IP communication between the browser and TomcatSW. I changed the transport-guarantee to NONE so that I could use HTTP rather than HTTPS to watch the communication between the browser and Tomcat. I set up a TCP/IP Monitor on port 8081 to forward to 8080. The browser makes the following request to our server, asking for tomcat-demo's 'test', which is our test servletW. GET /tomcat-demo/test HTTP/1.1 Accept: */* Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727) Host: localhost:8081 Connection: Keep-Alive The server sends back the following response to the browser. Notice that the header contains a Set-Cookie directive with a JSESSIONID value. This JSESSIONID string is an identifier that the browser can later send back to the server, thus letting the server identify the particular browser client and its 'session'. This response contains the login.html form. HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 16:00:00 PST Set-Cookie: JSESSIONID=318A0B6C6E5C15E2D2AA2ACF9D531AC8; Path=/tomcat-demo ETag: W/"407-1177060024390" Last-Modified: Fri, 20 Apr 2007 09:07:04 GMT Content-Type: text/html Content-Length: 407 Date: Sun, 22 Apr 2007 09:35:31 GMT <form method="POST" action="j_security_check"> <table> <tr> <td colspan="2">Login to the Tomcat-Demo application:</td> </tr> <tr> <td>Name:</td> <td><input type="text" name="j_username" /></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="j_password"/ ></td> </tr> <tr> <td colspan="2"><input type="submit" value="Go" /></td> </tr> </table> </form> The user fills out the form with the name 'myname' and the password 'mypassword' and clicks the submit button on the form, which sends the following request to the server to /tomcat-demo/j_security_check. The name and password get POSTed to Tomcat, and we can see the form values in the request body. Notice that the browser sends the JSESSIONID cookieW value back to the server, thus letting the server know what client is trying to talk to it. POST /tomcat-demo/j_security_check HTTP/1.1 Accept: */* Referer: http://localhost:8081/tomcat-demo/test Accept-Language: en-us Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727) Host: localhost:8081 Content-Length: 39 Connection: Keep-Alive Cache-Control: no-cache Cookie: JSESSIONID=318A0B6C6E5C15E2D2AA2ACF9D531AC8 j_username=myname&j_password=mypassword Since the authentication succeeds, the server now gives access to the resource to the client. It sends a 302 message to the client, directing the browser to make a new request to the test servlet URL. HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Location: http://localhost:8081/tomcat-demo/test Content-Length: 0 Date: Sun, 22 Apr 2007 09:35:37 GMT The client makes a new request for the test servlet URL (/tomcat-demo/test) and includes the JSESSIONID cookie so that the server can identify that this is the correct client to give access to the resource. GET /tomcat-demo/test HTTP/1.1 Accept: */* Referer: http://localhost:8081/tomcat-demo/test Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727) Host: localhost:8081 Connection: Keep-Alive Cache-Control: no-cache Cookie: JSESSIONID=318A0B6C6E5C15E2D2AA2ACF9D531AC8 The server returns the response generated by the test servlet, which we can see below. HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: text/html;charset=ISO-8859-1 Content-Length: 682 Date: Sun, 22 Apr 2007 09:35:37 GMT This is the Test Servlet <br/>Header Name: <em>accept-encoding</em>, Header Value: <em>gzip, deflate</em> <br/>Header Name: <em>connection</em>, Header Value: <em>Keep-Alive</em> <br/>Header Name: <em>host</em>, Header Value: <em>localhost:8081</em> <br/>Header Name: <em>accept-language</em>, Header Value: <em>en-us</em> <br/>Header Name: <em>user-agent</em>, Header Value: <em>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)</em> <br/>Header Name: <em>ua-cpu</em>, Header Value: <em>x86</em> <br/>Header Name: <em>accept</em>, Header Value: <em>*/*</em> Hopefully this tutorial has helped you understand how to set up Form authentication in a web application using Tomcat. I hope that it has also helped shed light on some of the mechanics behind how Form authentication works, since we looked at the detailed communication between the browser and the server. Related Tutorials:
|