|
Reuse login page for errors
The Servlet API defines a form-based login mechanism, which allows you to define a login page and an associated login error page. Here is an example of such an entry in web.xml :
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/LoginError.jsp</form-error-page> </form-login-config> </login-config>It is important to note that you do not have to specify two different pages.
For example :
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/Login.jsp?Retry=True</form-error-page> </form-login-config> </login-config>That is, the same page can be reused for login errors. In the presence of the Retry parameter, the Login.jsp will display a simple error message.
Here is a snippet from a Login.jsp which uses this style:
<form method="POST" action='<%= response.encodeURL("j_security_check") %>'>
<table align="center">
<c:if test='${not empty param["Retry"]}'>
<tr>
<td colspan='2' align='center'><b>Please try again.</b></td>
</tr>
<tr>
<td> </td>
</tr>
</c:if>
<tr>
<td><label>Name</label></td>
<td><input type="text" name="j_username"></td>
</tr>
<tr>
<td><label>Password</label></td>
<td><input type="password" name="j_password"></td>
</tr>
<tr align="center">
<td colspan="2"><input type="submit" value="Login"></td>
</tr>
</table>
</form>
For security reasons, many recommend not giving specific error information.
For example, stating explicitly that the password is incorrect is undesirable, since that information is useful to hackers.
For similar reasons, when displaying an error it's likely best not to repeat the user's original input, and to leave the login form blank.
Would you use this technique?
|