Skip to main content
Version: 1.22.x.x RR

Writing Login Applications using Velocity Rendering

Simple Login Application

Writing a simple login application with Velocity is straightforward. Simply supply a default template (default.vm in webdata/template directory) and start writing HTML. The sample below is annotated with comments (lines starting with ##, ignored by the template engine) for explanation.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
<title>Login Application</title>

## Redirect the client to the entry page upon logout
#if ($login.currentDialog == "SuccessfulLogoutDialog")
<meta http-equiv="Refresh" content="2;URL=">

## Include CSS and JS resources using shortcut, can be dialog and language-specific.

## These resources can, but don't have to be hosted by nevisLogRend
<link rel="stylesheet" type="text/css"
href="${login.appDataPath} /css/default.css">
<script language="JavaScript" type="text/javascript"

<div id="input"> <!-- begin input area -->

## Check if an error has occurred, if so, render an error bar
#set($error = $gui.getGuiElem("lasterror"))
#if ($error.value && $error.value != "")
<div id="error" align="center">

## Get a dialog-specific, localized text

## Implement the login dialogs here
<form method="POST" action=".">
#if ($login.currentDialog == "LoginDialog")
<!-- insert HTML form here-->
<!-- handle other dialogs -->
</div> <!-- end input area -->
<div id="footer">

## Render date in footer

Security Considerations

When writing your login page, security must be a top concern. Badly written login pages can be subject to injection attacks, such as cross-site scripting (XSS). nevisLogRend provides some utilities that can help you build safe login pages. In particular, you can use the following escaping utilities that will prevent attacks using the input parameters:

  • $utils.escapeHtmlAttribute($url)
  • $utils.escape($url)

See section Context Objects for more information about this and other utilities that can help you write login pages.

Encryption of Form Parameters


Form encryption will not protect against attacks, where the adversary is able to actively manipulate requests and responses. However, form encryption will prevent passive attacks, because intermediate nodes such as nevisProxy will not be able to log or store plain text credentials. For a general explanation of form encryption/end-to-end encryption, consult nevisAuth Reference Guide.

Form encryption prevents plain text passwords ending up in memory or log files of intermediate nodes like nevisProxy.

Based on the value of the GUI descriptor's encryption attribute, nevisLogRend determines whether form parameters should be encrypted. If form encryption is enabled, a JavaScript encryption script is appended to the HTML page. The HTML form is constructed such that the script is executed on form submission. The encryption algorithm and key sizes configured in the GUI descriptor's encryption attribute, as well as the public key, are injected into the HTML page.

When the user submits the form, each form parameter will be encrypted independently, using the encryption script.

The form encryption feature works out-of-the-box with setups created with nevisLogRend and above. For older instances (created with nevisLogRend below version support of the form encryption feature is possible by manually merging the Velocity templates and resources with the templates provided in nevisLogRend or newer.

The templates and resources involved with form encryption are listed below:

  • data/applications/def/webdata/js/e2eenc.js JavaScript providing the form encryption functionality.
  • data/applications/def/webdata/js/forge.bundle.js A JavaScript library providing cryptographic functions.
  • data/applications/def/webdata/template/default.vm The default template including the functionality for form encryption.
  • data/applications/def/webdata/template/form.vm The form template including the functionality for form encryption

Common Tasks

For convenience, some of the most frequently encountered tasks are listed in the table below:

Dialog-based logic

#if ($login.currentDialog == "LoginDialog")
<!-- display username/password dialog -->
#elseif ($login.currentDialog == "SecureIdDialog")
<!-- display secureid dialog -->

Text from localized bundle

<div id="disclaimer">$text.disclaimer</div>

Displaying an error from nevisAuth

#set($error = $gui.getGuiElem("lasterror"))
#if ($error.value && $error.value != "")

Iterating over GUI elements

#foreach ($guiElem in $gui.getGuiElems("appl"))

Including other templates


Displaying the current date

<div id="datebar">$</div>

Including a static resource (e.g., image, CSS) deployed with the login application

<img src="${login.appDataPath}/images/logo.gif">