aspose file tools*
The moose likes Servlets and the fly likes Best Practices for Form Based Login Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Best Practices for Form Based Login" Watch "Best Practices for Form Based Login" New topic
Author

Best Practices for Form Based Login

Salvo Montalbano
Greenhorn

Joined: Sep 22, 2011
Posts: 11
Hi all,

i'm a newbie in the j2ee world and I read about form based authentication using j_security_check.
I tried it and all works fine :-)
Now, I would like know what is the better practice in production environment to authenticate users.
Is j_security used in a production environment?
Can you notice me any websites that use this kind of authentication?
What are the alternative APIs used in this context?
Thanks all in advance for tour precious help

Rosanero4ever
Ricardo Espírito Santo
Greenhorn

Joined: Nov 04, 2009
Posts: 25
Hey mate,

You should read the security chapter of the Head First scwcd book! It really explains in a very visual way what are the options around and what are the pros and cons.

I've also found a link to something that might help you: some oracle page

Let me know what you think of it.


Have a nice one,

Ricky
Salvo Montalbano
Greenhorn

Joined: Sep 22, 2011
Posts: 11
Hi Ricardo,

I read just this chapter but it talks about the four types of authentication: basic, digest, client-cert, form.
Form Login is provided using j_security_check servlet of the Container.
I would know if exists any other way to have a form based login and what's the best practice to perform a login method.
Then, I would like see a website (in a production environment) that use j_security_check. Do you know anyone?
Thanks again for your time
Ricardo Espírito Santo
Greenhorn

Joined: Nov 04, 2009
Posts: 25
Oh ok I got what you need...

I thought you were trying to understand how it would work conceptually.

In that case try using google code search to look up forms that use those fields: google code search with the j_security_check query

hope that helps ;)
Salvo Montalbano
Greenhorn

Joined: Sep 22, 2011
Posts: 11
Thanks for your link.
Do you know alternative techniques to j_security_check in order to perform authentication?
Thank you very much
Ricardo Espírito Santo
Greenhorn

Joined: Nov 04, 2009
Posts: 25
Well at the minute we are developing a web app with JBoss Seam 2 and tweaked the auth mechanism to perform authentication against both our ldap and an internal jpa mechanism. The actual form itself is just a regular form but we also have the production site on https to difficult an eavesdropper's job. As for the actual password it is encoded with a standard one way system the cipher and password hash are salted and stored both locally and on the ldap system =)
Salvo Montalbano
Greenhorn

Joined: Sep 22, 2011
Posts: 11
I apologize for my questions (perhaps too much questions)...
So, do you use authentication based on j_security_check or on your own custom servlet?
I'm using, at the moment, j_security_check servlet and the list of my users/roles are in a MySql database.
Thanks again!
Ricardo Espírito Santo
Greenhorn

Joined: Nov 04, 2009
Posts: 25
No worries mate, this is a forum after all it's made for questions.

No I do not use the j_security_check It's not even a servlet. Its something else...
 
 
subject: Best Practices for Form Based Login