Authentication mechanism: Determine the identity of a user who claims to claim
The application cares about whether the user has passed the verification and does not care about how to verify it? ? ?
Authorization (Access Control: Authorization): ★ Adhere to the
Provision of user information:
The first election is verified by the container: (with static features; efficiency?)
A.http Basic Authentication (BASIC): USR / PWD Add a request header after encoding Base64
B.HTTP Summary Authentication (Digest): (HTTP 1.1 Support) Server-End Verify that the client sent MD5 summary (including the server-side containing timestamp, request resources, server ID NONCE)
C.HTTPS Customer Authentication (Client-Cert): Requests the client's SSL
d. Based on form-based authentication (FORM): servlet specification is unique, implemented by the servlet container itself, clear text transmission (specific implementation "Form-login-config> settings in
The access control type is defined by the web application configuration descriptor (belonging to the servlet specification): / web-inf / web.xml
User information acquisition: Request object provides method to obtain authentication user information (servlet 2.2 API)
Application control authentication: (dynamic verification model), password still transfer in clear text
Custom Behavior
Includes 3 essential properties: Name named by the name of the bean object created by the verification page
Login can't find the forwarding URL when the object name is found
ERRORMSG displays the message displayed on the forwarded URL page
The page with access control as a POST request object needs to verify the POST method:
<% IF (! Request.getMethod (). Equals ("post")) {%>
<%}%>
Avoid users re-submit expiration forms
Using HTTPS verification will make the other three authentication failures: whether only the server is authenticated or authenticated to the client and server, the connection is encrypted
For cookie processing:
