Using Form based login in JBoss


Allows Logout - session.invalidate()

Automatically expires when the session expires

More efficient and secure - single authentication

Fully customizable

Control the layout of the login page

Control the layout of the error page

Provide links to "user registration" or "recover password" actions

Support for FORM-based login is part of the Java EE specification, and like the rest of JAAS-based security, it is independent of the application server

With the FORM-based login, the server forces the users to login via an HTML form when it detects the user’s session is not authenticated

This is accomplished by forwarding the users' requests to the login page

In case of authentication failures, users are sent to the login error page

Login.jsp Form Page

JBoss handler: j_security_check for params j_username and j_password


<head><title>Login Form</title></head>


<h1>Login Form</h1>

<form action="j_security_check" method="post">


<input type="text" name="j_username"/><br/>


<input type="password" name="j_password"/><br/>

<input type="submit" value="Login" />




To support non-cookie-based-session-tracking, change j_security_check to

<%= response.encodeURL("j_security_check") %>

which will add JSESSIONID to the request URL if needed.

LoginError.jsp Page

Displays the error message if the authentication fails


<head><title>Login Error</title></head>


<h1>Authentication Error</h1>

<p style="color: red">

Invalid username and/or password.


<p><a href="Login.jsp">Try again?</a></p>



This page is only shown if user enters invalid username and/or password. Authorization errors (user not in required role) are handled separately.

Learn JBOSS by Tekslate - Fastest growing sector in the industry.

Explore Online JBOSS  Training and course is aligned with industry needs & developed by industry veterans.

Tekslate will turn you into JBOSS Expert.

Update Login Configuration

Update <login-config> in web.xml:








Authorization Failure

Authorization failures are expressed by HTTP 403 status codes

Use <error-page> element to configure HTTP 403 handler in web.xml:





For indepth understanding on JBoss click on: