Simple webapp with FORM authentication and SSL

This post is similar to Simple webapp with BASIC authentication, except that this one uses form-based authentication and ssl. The required steps are as follows:

(1) configure roles and other security aspects in web.xml;

(2) administratively create the users in application server;

(3) map the roles declared in step 1 to users created in step 2, with appserver-specific descriptor;

(4) create login form for entering username and password, and error form for displaying after failed login.

This test webapp contains the servlet class, web.xml, sun-web.xml, login.html, and error.html:


package test;

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class TestServlet extends HttpServlet {
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
PrintWriter out = response.getWriter();
out.println("Hello from " + getServletName());

protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);

protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"



<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<title>Login Form</title>
<form method="POST" action="j_security_check" >
<p>username: <input type="text" name="j_username" ></p>
<p>password: <input type="password" name="j_password" ></p>

<input type="submit" value="Submit" >
<input type="reset" value="Reset" >

<title>Invalid user name or password</title>
<a href="login.html">Login again</a>

To create the user in GlassFish (this is the user name and password that will be entered when running it):
$ $GLASSFISH_HOME/bin/asadmin create-file-user --group user joe
Compile TestServlet class and jar up *.class, *.html and *.xml into a test.war:
Copy it to $GLASSFISH_HOME/domains/domain1/autodeploy directory to deploy it. To run it go to the url http://localhost:8181/test/TestServlet. After entering the username and password, the following response is displayed:
Hello from TestServlet
If the wrong user name / password is entered, error.html will be displayed with a link to login.html for retry. 8181 is the default ssl port in GlassFish. If you use the non-secure port number 8080 in the test url, GlassFish will automatically redirect to 8181. The browser may display a warning since a self-signed cert (as opposed to one issued by certificate authority) is used to identify the GlassFish server.