Your web application may contain URLs that should be accessed only through other URLs. For example, in an online banking application, account holders should be able to access their account information only by logging on through a login screen first. In your security policy, you can create login URLs to limit access to authenticated URLs.
A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions.
Authenticated URLs are URLs that become accessible to users only after they successfully log in to the login URL. A logout URL is a URL that, if accessed, forces users to return to the login URL before re-accessing authenticated URLs. System administrators use these special URLs to prevent forceful browsing by causing users to pass through the login URL before viewing the restricted authenticated URLs.
|None||The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.|
|HTML Form||The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.|
|HTTP Basic Authentication||The user name and password are transmitted in Base64 and stored on the server in plain text.|
|HTTP Digest Authentication||The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.|
|NTLM||Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.|
Following are descriptions of the access validation criteria for the response to the login URL. You configure one or more of these validations when defining a login page.
|Access validation||Define in login page as|
|A string that should appear in the response||A string that must appear in the response for the system to allow the user to access the authenticated URL; for example, Successful Login.|
|A string that should NOT appear in the response||A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, Authentication failed.|
|Expected HTTP response status code||An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, 200.|
|Expected validation header name and value (for example, Location header)||A header name and value that the response to the login URL must match to permit user access to the authenticated URL.|
|Expected validation domain cookie name||A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL.|
|Expected parameter name (added to URI links in the response)||A parameter that must exist in the login URL’s HTML body to allow access to the authenticated URL.|