I took a test on j2eecertificate.com and the site said below about form-based authentication: The username and password is not encoded using the Base64 mechanism before being sent to the server. But I remember SCWCD Exam Stydy says form-based authentication is similar to Basic authentication. Could someone explain this to me? Thanks.
With BASIC authentication, you trigger some special code in the client browser. This code encodes the username and password information in Base64, not for encryption purpose (that would be foolish) but to ensure that the data are transmitted as-is on a non-binary link (the HTTP connection). This mechanism avoids character encoding issues.
Remember that the only thing that makes the difference between a simple form and an authentication (apart form the deployment descriptor declaration) is the action attribute of your html form tag. So the authentication form is processed by the web browser as any other form of your application.