Win a copy of Five Lines of Code this week in the OO, Patterns, UML and Refactoring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

About Form based authentication vs Basic authentication

Ranch Foreman
Posts: 1922
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In EPractice Lab, a question " Which of the following values of the <auth-method> element will rely on browser-specific login mechanisms?"
a. Basic
b. Form
c. Kerberos
d. Client-cert
e. server-cert
f. digest

I believe the answer should be b. Form. According to J2EE tutorial,

Specifying HTTP basic authentication requires that the server request a user name and password from the web client and verify that the user name and password are valid by comparing them against a database of authorized users in the specified or default realm.

Form-based authentication allows the developer to control the look and feel of the login authentication screens by customizing the login screen and error pages that an HTTP browser presents to the end user. When form-based authentication is declared, the following actions occur.

But the given answer is a.Basic.
Posts: 4179
IntelliJ IDE Python Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Form based authentication requires the developer to create a form. The developer, and not the browser, is responsible for naming the fields, determining what it looks like, how it gets sent to the server, etc... So I wouldn't say that is browser-specific at all. Basic authentication, however, doesn't require (or let) the developer to create a form. The username and password are collected by the browser itself - this could be via a modal dialog, a pop-up window, saved credentials, or some other means. In any case the implementation is out of the web app developer's hands and in the hands of the browser - each browser will likely do it slightly different and and have different looks/methods of getting the input (and perhaps may not support it?). So since this form of authentication relies on what the browser does, not HTML or other code the web developer produces, and because it is possible to change from one browser to another it is a browser-specific mechanism.
Himai Minh
Ranch Foreman
Posts: 1922
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your clarification.
So, when username and password are collected from a browser, they are encoded and put in the HTTP's "Authorization" header.
It does not matter what browser it is and how the browser implements the credential collection, the credentials will end up in the Authorization HTTP header.
When it is used for evil, then watch out! When it is used for good, then things are much nicer. Like this tiny ad:
Thread Boost feature
    Bookmark Topic Watch Topic
  • New Topic