Two Laptop Bag*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes question on form based authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "question on form based authentication " Watch "question on form based authentication " New topic
Author

question on form based authentication

Dave Seligson
Greenhorn

Joined: Jul 12, 2007
Posts: 17
On page 647, the HFSJ book says "Note if you're using Form-based authentication, be sure to turn on SSL or session tracking, or your Container might not recognize the login form when it's returned!"

I understand why SSL should be turned on (confidentiality)
but what does SSL have to do with the container's ability to recognize the login form when it's returned?

Thanks,
Dave Seligson
SCJP 5.0
Mark Garland
Ranch Hand

Joined: Nov 11, 2006
Posts: 226
Without either Session Tracking or SSL, the container wouldn't be able to identify you between separate requests.

To get round this, you can use:

Session Tracking - you probably know all about this.

SSL - Used for "confidentiality", and so it means that unauthorised people should not be able to access the data. If the container is maintaining this secure connection, then it will definitely know who you are.


28/06/06 - SCJP - 69%, 05/06/07 - SCWCD - 92%, 28/02/08 - IBM DB2 v9 Fundamentals (Exam 730) - 87%, 18/11/08 - IBM DB2 v9 DBA (Exam 731) - 89%, 26/02/11 - SCBCD - 88%
khushhal yadav
Ranch Hand

Joined: Jun 20, 2007
Posts: 242

Dave,

See HTTP is a stateless protocol.

But what about HTTP + SSL ( = HTTPS )?? It's a stateful protocol .

Now, I think you have got reply to your query.

Regards,
Khushhal


rgrds,
Khushhal
Dave Seligson
Greenhorn

Joined: Jul 12, 2007
Posts: 17
Yes,
Thank you. I didn't know that HTTP+SSL was actually stateful.
DaveS
Rahulg Goyal
Greenhorn

Joined: Jul 16, 2007
Posts: 2
i think with form login we can't do the url rewriting for session tracking since action attribute has the value of j_security_check.so we need to resort to ssl+http or cookies way of tracking a user.therefore form based login can't be used without htttp+ssl and cookies enabled.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: question on form based authentication