How do I use Form authentication with Tomcat?
Author: Deron Eriksson
Description: This tutorial describes the use of Form authentication with Tomcat.
Tutorial created using: Windows XP || JDK 1.5.0_09 || Eclipse Web Tools Platform 1.5.1 || Tomcat 5.5.20


Page: < 1 2 3

(Continued from page 2)

Just for fun, let's delve in a little deeper by monitoring the TCP/IP communication between the browser and TomcatSW. I changed the transport-guarantee to NONE so that I could use HTTP rather than HTTPS to watch the communication between the browser and Tomcat. I set up a TCP/IP Monitor on port 8081 to forward to 8080.

The browser makes the following request to our server, asking for tomcat-demo's 'test', which is our test servletW.

GET /tomcat-demo/test HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)
Host: localhost:8081
Connection: Keep-Alive

The server sends back the following response to the browser. Notice that the header contains a Set-Cookie directive with a JSESSIONID value. This JSESSIONID string is an identifier that the browser can later send back to the server, thus letting the server identify the particular browser client and its 'session'. This response contains the login.html form.


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 16:00:00 PST
Set-Cookie: JSESSIONID=318A0B6C6E5C15E2D2AA2ACF9D531AC8; Path=/tomcat-demo
ETag: W/"407-1177060024390"
Last-Modified: Fri, 20 Apr 2007 09:07:04 GMT
Content-Type: text/html
Content-Length: 407
Date: Sun, 22 Apr 2007 09:35:31 GMT


<form method="POST" action="j_security_check">
<table>
	<tr>
		<td colspan="2">Login to the Tomcat-Demo application:</td>
	</tr>
	<tr>
		<td>Name:</td>
		<td><input type="text" name="j_username" /></td>
	</tr>
	<tr>
		<td>Password:</td>
		<td><input type="password" name="j_password"/ ></td>
	</tr>
	<tr>
		<td colspan="2"><input type="submit" value="Go" /></td>
	</tr>
</table>
</form>

The user fills out the form with the name 'myname' and the password 'mypassword' and clicks the submit button on the form, which sends the following request to the server to /tomcat-demo/j_security_check. The name and password get POSTed to Tomcat, and we can see the form values in the request body. Notice that the browser sends the JSESSIONID cookieW value back to the server, thus letting the server know what client is trying to talk to it.

POST /tomcat-demo/j_security_check HTTP/1.1
Accept: */*
Referer: http://localhost:8081/tomcat-demo/test
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)
Host: localhost:8081
Content-Length: 39
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=318A0B6C6E5C15E2D2AA2ACF9D531AC8

j_username=myname&j_password=mypassword

Since the authentication succeeds, the server now gives access to the resource to the client. It sends a 302 message to the client, directing the browser to make a new request to the test servlet URL.

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://localhost:8081/tomcat-demo/test
Content-Length: 0
Date: Sun, 22 Apr 2007 09:35:37 GMT

The client makes a new request for the test servlet URL (/tomcat-demo/test) and includes the JSESSIONID cookie so that the server can identify that this is the correct client to give access to the resource.

GET /tomcat-demo/test HTTP/1.1
Accept: */*
Referer: http://localhost:8081/tomcat-demo/test
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)
Host: localhost:8081
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=318A0B6C6E5C15E2D2AA2ACF9D531AC8

The server returns the response generated by the test servlet, which we can see below.


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 16:00:00 PST
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 682
Date: Sun, 22 Apr 2007 09:35:37 GMT

This is the Test Servlet
<br/>Header Name: <em>accept-encoding</em>, Header Value: <em>gzip, deflate</em>
<br/>Header Name: <em>connection</em>, Header Value: <em>Keep-Alive</em>
<br/>Header Name: <em>host</em>, Header Value: <em>localhost:8081</em>
<br/>Header Name: <em>accept-language</em>, Header Value: <em>en-us</em>
<br/>Header Name: <em>user-agent</em>, Header Value: <em>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)</em>
<br/>Header Name: <em>ua-cpu</em>, Header Value: <em>x86</em>
<br/>Header Name: <em>accept</em>, Header Value: <em>*/*</em>

Hopefully this tutorial has helped you understand how to set up Form authentication in a web application using Tomcat. I hope that it has also helped shed light on some of the mechanics behind how Form authentication works, since we looked at the detailed communication between the browser and the server.

Page: < 1 2 3