web.xml:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/LoginError.jsp</form-error-page> </form-login-config> </login-config>It's useful to note that you don't have to specify two different pages.
For example:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/Login.jsp?Retry=True</form-error-page> </form-login-config> </login-config>That is, the same page can be reused for login errors. In the presence of the
Retry parameter, the Login.jsp will display a simple error message.
Here is a snippet from a Login.jsp which uses this style:
<form method="POST" action='<%= response.encodeURL("j_security_check") %>'>
<table align="center">
<c:if test='${not empty param["Retry"]}'>
<tr>
<td colspan='2' align='center'><b>Please try again.</b></td>
</tr>
<tr>
<td> </td>
</tr>
</c:if>
<tr>
<td><label>Name</label></td>
<td><input type="text" name="j_username"></td>
</tr>
<tr>
<td><label>Password</label></td>
<td><input type="password" name="j_password"></td>
</tr>
<tr align="center">
<td colspan="2"><input type="submit" value="Login"></td>
</tr>
</table>
</form>
For security reasons, many recommend not giving specific error information.
For example, stating explicitly that the password is incorrect is undesirable, since that information
is useful to hackers.
For similar reasons, when displaying an error it's likely best not to repeat the user's
original input, and to leave the login form blank.