How to check if FORM Realm authentication failed?

Question

I use FORM Authentication.

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
       <form-login-page>/loginPage.jsp</form-login-page>
       <form-error-page>/loginPage.jsp</form-error-page>
    </form-login-config>        
</login-config>

I would like to use the same JSP for my form-login-page and form-error-page, for sake of code reuse. I use a Realm ( org.apache.catalina.realm.JDBCRealm ).

In my JSP, I would like to display error messages if the authentication failed. Does Realm store anything in the request, which I could check?

Answer 1

I've done this by having the error page re-direct to the login-page via http headers and by having the error-page include javascript to open the login in an iframe below the error.

Answer 2

Have you found the way? I am having the same problem.

I found this:

http://www.shadegrowncode.com/2007/03/implementing-account-lockout-in-tomcat.html

but it doesn't look easy either.

Answer 3

Add a parameter to the url for the error page:

<form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/login.jsp?error=true</form-error-page>
</form-login-config>

In your login.jsp, check whether an error occurred and display an error message if it did:

<c:if test="${not empty error}">
    <p class="error">Login failed. Please try again.</p>
</c:if>

This form does not let you output any specific reason why the login failed. However, security considerations already make it a bad practice to do so, so that should not be a problem. E.G. You should not want to output detailed messages like "No user registered by that name." or "Wrong password for user X.", because that would help an attacker to break in to the system.

Just tell them that login failed. Easy and good security practice, what more do you want? :)