• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

About Form based authentication vs Basic authentication

 
Himai Minh
Ranch Hand
Posts: 1328
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In EPractice Lab, a question " Which of the following values of the <auth-method> element will rely on browser-specific login mechanisms?"
a. Basic
b. Form
c. Kerberos
d. Client-cert
e. server-cert
f. digest

I believe the answer should be b. Form. According to J2EE tutorial,

Specifying HTTP basic authentication requires that the server request a user name and password from the web client and verify that the user name and password are valid by comparing them against a database of authorized users in the specified or default realm.



Form-based authentication allows the developer to control the look and feel of the login authentication screens by customizing the login screen and error pages that an HTTP browser presents to the end user. When form-based authentication is declared, the following actions occur.


But the given answer is a.Basic.
 
Steve Luke
Bartender
Posts: 4181
22
IntelliJ IDE Java Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Form based authentication requires the developer to create a form. The developer, and not the browser, is responsible for naming the fields, determining what it looks like, how it gets sent to the server, etc... So I wouldn't say that is browser-specific at all. Basic authentication, however, doesn't require (or let) the developer to create a form. The username and password are collected by the browser itself - this could be via a modal dialog, a pop-up window, saved credentials, or some other means. In any case the implementation is out of the web app developer's hands and in the hands of the browser - each browser will likely do it slightly different and and have different looks/methods of getting the input (and perhaps may not support it?). So since this form of authentication relies on what the browser does, not HTML or other code the web developer produces, and because it is possible to change from one browser to another it is a browser-specific mechanism.
 
Himai Minh
Ranch Hand
Posts: 1328
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your clarification.
So, when username and password are collected from a browser, they are encoded and put in the HTTP's "Authorization" header.
It does not matter what browser it is and how the browser implements the credential collection, the credentials will end up in the Authorization HTTP header.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic