2.13. Enable Form-based Authentication
<auth-method>FORM</auth-method>in the <login-config> element of the deployment descriptor,
web.xml. The login and error pages are also defined in <login-config>, as follows:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/error.html</form-error-page> </form-login-config> </login-config>
FormAuthenticatorto direct users to the appropriate page. JBoss EAP maintains a session pool so that authentication information does not need to be present for each request. When
FormAuthenticatorreceives a request, it queries
org.apache.catalina.session.Managerfor an existing session. If no session exists, a new session is created.
FormAuthenticatorthen verifies the credentials of the session.
/dev/urandom(Linux) by default, and hashed with MD5. Checks are performed at session ID creation to ensure that the ID created is unique.
JSESSIONID. Its value is a hex-string of the session ID. This cookie is configured to be non-persistent. This means that on the client side it will be deleted when the browser exits. On the server side, sessions expire after 60 seconds of inactivity, at which time session objects and their credential information are deleted.
FormAuthenticatorcaches the request, creates a new session if necessary, and redirects the user to the login page defined in
login-config. (In the previous example code, the login page is
login.html.) The user then enters their user name and password in the HTML form provided. User name and password are passed to
FormAuthenticatorthen authenticates the user name and password against the realm attached to the web application context. In JBoss Enterprise Application Platform, the realm is
JBossWebRealm. When authentication is successful,
FormAuthenticatorretrieves the saved request from the cache and redirects the user to their original request.
/j_security_checkand at least the