Although there’s more to implementing it than with the other forms of authentication, FORM-based isn’t that bad. First, you create your own custom HTML form for the user login (although this can certainly be generated by a JSP). Then you create a custom HTML error page for the Container to use when the user makes a login error. Finally, you tie the two forms together in the DD, using the <login-config> element. Note: if you’re using Form-based authentication, be sure to turn on SSL or session tracking, or your Container might not recognize the login form when it’s returned!
What YOU do:
Declare <login-config> in the DD
Create an HTML login form
Create an HTML error form