servlets - Java EE Login Page Problem

Question

i try to code a login form which passes username and password to a servlet and let the user login.

Then, in the servlet, i lo

request.login(username, password);

but it throws exception which failed to authenticate the user.

String authType = request.getAuthType();
if(authType != null) {
request.login(username, password);
}

1. I wonder how to code a simple login page.
2. What is the uses of request.authenticate(response);

I try that and it pop out a screen which cannot be proceed anymore.

1. I try to refer this page http://download.oracle.com/javaee/1.4/tutorial/doc/Security5.html which i think need to configure the authentication first before login and add some user.

Please help.

Thanks.

Answer 1

The use of the HttpServletRequest#login() method indicates that you're using Servlet 3.0 which is part of Java EE 6. Yet you're reading a 7.5 years old J2EE 1.4 tutorial. I'd suggest to put that dusty tutorial aside and read the Java EE 6 tutorial instead. Container managed security starts here.

Back to your concrete problem, the login() will (as documented) throw an exception when the login is invalid or when the container doesn't have any Realm definied at all. Assuming that you're certain that the username/password is valid, it'll probably be the last cause. How to do it exactly depends on the servletcontainer in question. Just consult its documentation using the keyword "Realm". For example, for Tomcat 7.0 that's the Realm Configuration HOW-TO. If you have the usernames/passwords in a SQL database, you'll probably want to use the JDBCRealm.

Once you've configured a Realm at servletcontainer level, then you'll be able to use the login() method the way you want. Don't forget to add a <security-constraint> to the web.xml as per the Java EE 6 tutorial to restrict access on certain URL patterns and specify the URL of the login page.