Form login in a Servlet 3.0 using annotations

Question

I have an old servlet ABC using a web.xml to define it's form login (which is another servlet XYZ stored in another JAR file and integrated in the WAR under path WEB-INF\lib):

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/login</form-login-page>
    <form-error-page>/login?event=Retry</form-error-page>
  </form-login-config>
</login-config>

Now I migrated servlet ABC using the new Servlet 3.0 annotations. I have a @WebServlet and a @ServletSecurity annotation. But how do I define that my login configuration is a form based login (auth-method in web.xml) and what URL the webcontainer should redirect the request to (form-login-page in web.xml)? I found a tutorial with note that when using form-based-login I must use a deployment descriptor.

I didn't find a remark regarding this in the servlet 3.0 spec. Does anybody know if this is correct? Or are there any annotations or other ways to prevent me from using a deployment descriptor?

Answer 1

Stephan,

I've been trying to find all-annotation configuration for my application as well.

You are correct - the only way to configure form-based authentication is by using deployment descriptor (web.xml or web-fragment.xml).

According to JSR-315 Servlet 3.0 Specification :: Ch13.6.3 (pg132):

"The web application deployment descriptor contains entries for a login form and error page..."

Specification only refers to the web deployment descriptor for form-login configuration, and not to any annotation-based configuration.

Also, take a look at JSR-315 Servlet 3.0 Specification :: Ch8.1 (pg61-64) - there is no notion of Servlet annotations that would implement form-based authentication configuration.

Actually, all of Ch8 is very useful to read, especially JSR-315 Servlet 3.0 Specification :: Ch8.2.3 (pg72-84) that explains how web.xml, web-fragment.xml and annotations are being assembled together and in which order.

I have briefly looked over JSR-340 Servlet 3.1 Specification spec that has just been released May 28, 2013. It seems they have not added any new provisions for form-based authentication configuration, see JSR-340 Servlet 3.1 Specification :: Ch13.6.3 (pg139)...

Good luck ;)