web.xml
:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/LoginError.jsp</form-error-page> </form-login-config> </login-config>It's useful to note that you don't have to specify two different pages.
For example:
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/Login.jsp</form-login-page> <form-error-page>/Login.jsp?Retry=True</form-error-page> </form-login-config> </login-config>That is, the same page can be reused for login errors. In the presence of the
Retry
parameter, the Login.jsp
will display a simple error message.
Here is a snippet from a Login.jsp
which uses this style:
<form method="POST" action='<%= response.encodeURL("j_security_check") %>'> <table align="center"> <c:if test='${not empty param["Retry"]}'> <tr> <td colspan='2' align='center'><b>Please try again.</b></td> </tr> <tr> <td> </td> </tr> </c:if> <tr> <td><label>Name</label></td> <td><input type="text" name="j_username"></td> </tr> <tr> <td><label>Password</label></td> <td><input type="password" name="j_password"></td> </tr> <tr align="center"> <td colspan="2"><input type="submit" value="Login"></td> </tr> </table> </form>For security reasons, many recommend not giving specific error information. For example, stating explicitly that the password is incorrect is undesirable, since that information is useful to hackers.
For similar reasons, when displaying an error it's likely best not to repeat the user's
original input, and to leave the login form blank.