blob: 575ab874cb6ae85999f9bd7d4ba400dbb6557d41 [file] [log] [blame]
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter&nbsp;5.&nbsp;Best Practices</title><link rel="stylesheet" href="css/stylesheet.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.0"><link rel="home" href="index.html" title="Apache Click"><link rel="up" href="index.html" title="Apache Click"><link rel="prev" href="ch04s03.html" title="4.3.&nbsp;Auto Deployed Files"><link rel="next" href="ch05s02.html" title="5.2.&nbsp;Packages and Classes"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter&nbsp;5.&nbsp;Best Practices</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch04s03.html">Prev</a>&nbsp;</td><th width="60%" align="center">&nbsp;</th><td width="20%" align="right">&nbsp;<a accesskey="n" href="ch05s02.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter&nbsp;5.&nbsp;Best Practices"><div class="titlepage"><div><div><h2 class="title"><a name="chapter-best-practices"></a>Chapter&nbsp;5.&nbsp;Best Practices</h2></div></div></div><div class="toc"><dl><dt><span class="sect1"><a href="ch05.html#security">5.1. Security</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch05.html#declarative-security">5.1.1. Declarative Security</a></span></dt><dt><span class="sect2"><a href="ch05.html#alternatve-security-solutions">5.1.2. Alternative Security solutions</a></span></dt><dt><span class="sect2"><a href="ch05.html#resources">5.1.3. Resources</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch05s02.html">5.2. Packages and Classes</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch05s02.html#page-classes">5.2.1. Page Classes</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch05s03.html">5.3. Page Auto Mapping</a></span></dt><dt><span class="sect1"><a href="ch05s04.html">5.4. Navigation</a></span></dt><dt><span class="sect1"><a href="ch05s05.html">5.5. Templating</a></span></dt><dt><span class="sect1"><a href="ch05s06.html">5.6. Menus</a></span></dt><dt><span class="sect1"><a href="ch05s07.html">5.7. Logging</a></span></dt><dt><span class="sect1"><a href="ch05s08.html">5.8. Error Handling</a></span></dt><dt><span class="sect1"><a href="ch05s09.html">5.9. Performance</a></span></dt></dl></div><p>This chapter discusses Best Practices for designing and building Apache
Click applications.
</p><div class="sect1" title="5.1.&nbsp;Security"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security"></a>5.1.&nbsp;Security</h2></div></div></div><p>For application security it is highly recommended that you use the
declarative JEE Servlet path role based security model. While Click pages
provide an <code class="methodname">onSecurityCheck()</code> method for rolling your own
programatic security model, the declarative JEE model provides numerous
advantages.
</p><p>These advantages include:
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> Its an industry standard pattern making development and maintenance
easier.
</p></li><li class="listitem"><p> Application servers generally provide numerous ways of integration
with an organisations security infrastructure, including LDAP directories
and relational databases.
</p></li><li class="listitem"><p> Servlet security model support users bookmarking pages. When users
go to access these pages later, the container will automatically authenticate
them before allowing them to access the resource.
</p></li><li class="listitem"><p> Using this security model you can keep your Page code free of
security concerns. This makes you code more reusable, or at least easier
to write.
</p></li></ul></div><p>If your application has very fine grained or complex security requirements
you may need to combine both the JEE declarative security model and a
programmatic security model to meet your needs. In these cases its
recommended you use declarative security for course grained access and
programmatic security for finner grained access control.
</p><div class="sect2" title="5.1.1.&nbsp;Declarative Security"><div class="titlepage"><div><div><h3 class="title"><a name="declarative-security"></a>5.1.1.&nbsp;Declarative Security</h3></div></div></div><p> The declarative JEE Servlet security model requires users to be
authenticated and in the right roles before they can access secure resources.
Relative to many of the JEE specifications the Servlet security model is
surprisingly simple.
</p><p>
For example to secure admin pages, you add a security
constraint in your <code class="filename">web.xml</code> file. This requires users
to be in the <code class="varname">admin</code> role before they can access to any
resources under the <span class="symbol">admin</span> directory:
</p><pre class="programlisting"><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;security-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;web-resource-collection&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;web-resource-name&gt;</span>admin<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/web-resource-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;url-pattern&gt;</span><span class="symbol">/admin/*</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/url-pattern&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/web-resource-collection&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;auth-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;role-name&gt;</span><code class="varname">admin</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/role-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/auth-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/security-constraint&gt;</span></pre><p>The application user roles are defined in the <code class="filename">web.xml</code>
file as <code class="literal">security-role</code> elements:
</p><pre class="programlisting"><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;security-role&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;role-name&gt;</span><code class="varname">admin</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/role-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/security-role&gt;</span></pre><p>The Servlet security model supports three different authentication method:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
<code class="literal">BASIC</code> - only recommended for internal
applications where security is not important. This is the easiest
authentication method, which simply displays a dialog box to users
requiring them to authenticate before accessing secure resources.
The BASIC method is relatively unsecure as the username and password
are posted to the server as a Base64 encoded string.
</p></li><li class="listitem"><p>
<code class="literal">DIGEST</code> - recommended for internal applications
with a moderate level of security. As with BASIC authentication,
this method simply displays a dialog box to users requiring them to
authenticate before accessing secure resources. Not all application
servers support DIGEST authentication, with only more recent
versions of Apache Tomcat supporting this method.
</p></li><li class="listitem"><p>
<code class="literal">FORM</code> - recommended applications for where
you need a customised login page. For applications requiring a high
level of security it is recommended that you use the FORM method
over HTTPS.
</p></li></ul></div><p>The authentication method is specified in the &lt;login-method&gt; element.
For example to use the BASIC authentication method you would specify:
</p><pre class="programlisting"><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;login-config&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;auth-method&gt;</span><code class="varname">BASIC</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/auth-method&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;realm-name&gt;</span>Admin Realm<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/realm-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/login-config&gt;</span></pre><p>To use the FORM method you also need to specify the path to the login
page and the login error page:
</p><pre class="programlisting"><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;login-config&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;auth-method&gt;</span><code class="varname">FORM</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/auth-method&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;realm-name&gt;</span>Secure Realm<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/realm-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;form-login-config&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;form-login-page&gt;</span><span class="symbol">/login.htm</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/form-login-page&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;form-error-page&gt;</span><span class="symbol">/login.htm?auth-error=true</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/form-error-page&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/form-login-config&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/login-config&gt;</span></pre><p>In your Click <code class="filename">login.htm</code> page you need to include a
special <code class="varname">j_security_check</code> form which includes the input
fields <code class="varname">j_username</code> and <code class="varname">j_password</code>.
For example:
</p><pre class="programlisting"><span class="command"><strong>#if</strong></span> ($request.getParameter("<span class="symbol">auth-error</span>"))
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;div</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">style</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"margin-bottom:1em;margin-top:1em;color:red;"</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&gt;</span>
Invalid User Name or Password, please try again.<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;br/&gt;</span>
Please ensure Caps Lock is off.
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/div&gt;</span>
<span class="command"><strong>#end</strong></span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;form</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">method</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"POST"</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">action</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"</span><code class="varname">j_security_check</code>" name="form"&gt;
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;table</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">border</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"0"</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">style</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"margin-left:0.25em;"</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;tr&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;td&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;label&gt;</span>User Name<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/label&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;font</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">color</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"red"</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&gt;</span>*<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/font&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/td&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;td&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;input</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">type</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"text"</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">name</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"</span><code class="varname">j_username</code>" maxlength="20" style="width:150px;"/&gt;<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/td&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;td&gt;</span>&amp;nbsp;<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/td&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/tr&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;tr&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;td&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;label&gt;</span>User Password<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/label&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;font</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">color</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"red"</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&gt;</span>*<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/font&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/td&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;td&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;input</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">type</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"password"</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">name</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"</span><code class="varname">j_password</code>" maxlength="20" style="width:150px;"/&gt;<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/td&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;td&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;input</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">type</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"image"</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">src</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"$context/images/login.png"</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">title</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"Click to Login"</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">/&gt;</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/td&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/tr&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/table&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/form&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;script</span> <span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="atn">type</span>=<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="pln">"text/javascript"</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&gt;</span>
document.form.j_username.focus();
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/script&gt;</span></pre><p>When using FORM based authentication do <span class="bold"><strong>NOT</strong></span>
put application logic in a Click Login Page class, as the role of this page
is to simply render the login form. If you attempt to put navigation logic
in your Login Page class, the JEE Container may simply ignore it or throw
errors.
</p><p>Putting this all together below is a <code class="filename">web.xml</code>
snippet which features security constraints for pages under the admin
path and the user path. This configuration uses the FORM method for
authentication, and will also redirect unauthorized (403) requests to the
<code class="filename">/not-authorized.htm</code> page.
</p><pre class="programlisting"><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;web-app&gt;</span>
..
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;error-page&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;error-code&gt;</span>403<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/error-code&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;location&gt;</span><code class="varname">/not-authorized.htm</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/location&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/error-page&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;security-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;web-resource-collection&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;web-resource-name&gt;</span>admin<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/web-resource-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;url-pattern&gt;</span><code class="varname">/admin/*</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/url-pattern&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/web-resource-collection&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;auth-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;role-name&gt;</span><span class="symbol">admin</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/role-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/auth-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/security-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;security-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;web-resource-collection&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;web-resource-name&gt;</span>user<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/web-resource-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;url-pattern&gt;</span><code class="varname">/user/*</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/url-pattern&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/web-resource-collection&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;auth-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;role-name&gt;</span><span class="symbol">admin</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/role-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;role-name&gt;</span><span class="symbol">user</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/role-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/auth-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/security-constraint&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;login-config&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;auth-method&gt;</span><code class="varname">FORM</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/auth-method&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;realm-name&gt;</span>Secure Zone<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/realm-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;form-login-config&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;form-login-page&gt;</span><code class="varname">/login.htm</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/form-login-page&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;form-error-page&gt;</span><code class="varname">/login.htm?auth-error=true</code><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/form-error-page&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/form-login-config&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/login-config&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;security-role&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;role-name&gt;</span><span class="symbol">admin</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/role-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/security-role&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;security-role&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;role-name&gt;</span><span class="symbol">user</span><span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/role-name&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/security-role&gt;</span>
<span xmlns:fo="http://www.w3.org/1999/XSL/Format" class="tag">&lt;/web-app&gt;</span></pre></div><div class="sect2" title="5.1.2.&nbsp;Alternative Security solutions"><div class="titlepage"><div><div><h3 class="title"><a name="alternatve-security-solutions"></a>5.1.2.&nbsp;Alternative Security solutions</h3></div></div></div><p> There are also alternative security solutions that provide extra
features not available in JEE, such as RememberMe functionality, better
resource mapping and <code class="literal">Post Logon Page</code> support.
(<code class="literal">Post Logon Page</code> support allows one to specify a default
URL where the user will be forwarded after successful login. This feature
allows one to embed a login form in all non-secure pages and after successful
authentication the user will be forwarded to their home page.)
</p><p>Below are some of the alternative security solutions available:
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
<a xmlns:fo="http://www.w3.org/1999/XSL/Format" class="external" href="http://static.springframework.org/spring-security/site/index.html" target="_blank">Spring Security</a>
</p></li><li class="listitem"><p>
<a xmlns:fo="http://www.w3.org/1999/XSL/Format" class="external" href="http://securityfilter.sourceforge.net/" target="_blank">SecurityFilter</a>
</p></li><li class="listitem"><p>
<a xmlns:fo="http://www.w3.org/1999/XSL/Format" class="external" href="http://www.jsecurity.org/" target="_blank">JSecurity</a>
</p></li></ul></div></div><div class="sect2" title="5.1.3.&nbsp;Resources"><div class="titlepage"><div><div><h3 class="title"><a name="resources"></a>5.1.3.&nbsp;Resources</h3></div></div></div><p>For more information on using security see the resources below:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
<a xmlns:fo="http://www.w3.org/1999/XSL/Format" class="external" href="http://stc.cis.brown.edu/~stc/Projects/Shibboleth/Version-3/Checklist/Tomcat-Authn/FormBasedAuthentication.pdf" target="_blank">
Form Based Authentication
</a> by Louis E. Mauget
</p></li><li class="listitem"><p>
<a xmlns:fo="http://www.w3.org/1999/XSL/Format" class="external" href="http://java.sun.com/products/servlet/download.html" target="_blank">Servlet Specification</a>
by Sun Microsystems
</p></li><li class="listitem"><p>
<a xmlns:fo="http://www.w3.org/1999/XSL/Format" class="external" href="http://en.wikipedia.org/wiki/Basic_authentication_scheme" target="_blank">
Basic authentication scheme
</a>
</p></li><li class="listitem"><p>
<a xmlns:fo="http://www.w3.org/1999/XSL/Format" class="external" href="http://en.wikipedia.org/wiki/Digest_access_authentication" target="_blank">
Digest authentication scheme
</a>
</p></li><li class="listitem"><p>
<a xmlns:fo="http://www.w3.org/1999/XSL/Format" class="external" href="http://en.wikipedia.org/wiki/Https" target="_blank">Https URI scheme</a>
</p></li></ul></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch04s03.html">Prev</a>&nbsp;</td><td width="20%" align="center">&nbsp;</td><td width="40%" align="right">&nbsp;<a accesskey="n" href="ch05s02.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">4.3.&nbsp;Auto Deployed Files&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">&nbsp;5.2.&nbsp;Packages and Classes</td></tr></table></div></body></html>