On page 78 of the Java Servlet Spec (v.2.3), it discusses the necessity of using "j_security_check" as the action attribute of for a login form. I have seen this used in code here at work, but when I try and use it myself for an application I'm developing, I get a 404 page not found error (because there is no page named "j_security_check"). Can anyone explain to me how this login mechanism is supposed to work? I've been doing web development for 3 years, but I'm really in the dark on this topic.
Hi! I look for informations also on j_security_check. What I understood it is that he allows to protect resources JSP. In the web.xml file are indicated the JSPs (login.jsp and error.jsp) the security constraints... <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> < !-- Define the context-relative URL(s) to be protected --> <url-pattern>/jsp/security/protected/*</url-pattern> < !-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> < !-- Anyone with one of the listed roles may access this area --> <role-name>tomcat</role-name> <role-name>role1</role-name> </auth-constraint> </security-constraint> < !-- Form-based login is enabled by default. If you wish to<br /> try Basic authentication, comment out the <login-config><br /> section below and uncomment the one above.<br /> --> <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication</realm-name> <form-login-config> <form-login-page>/jsp/security/login/login.jsp</form-login-page> <form-error-page>/jsp/security/login/error.jsp</form-error-page> </form-login-config> </login-config>
For Tomcat 3.2 it exists a file tomcat-users.xml in the conf directory to indicate the user/password pairs.