• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

authentication mechanism in mini-browsers

 
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Test Question 39

Online music sales company Flash and Sizzle, Inc. is planning to develop several Internet applications that will be accessed by the new handheld mobile devices they have just released. These devices have tight security requirements in their mini-browsers with locked down policies and certs.
For these devices, which authentication mechanism is most secure?(Choose one)

A. HTTP Basic
B. Form Based
C. HTTP Digest
D. HTTPS Client

Source: SAI

What's your take?
 
Creator of Enthuware JWS+ V6
Posts: 3411
320
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Parth,

The first three options are amongst the four possible authentication ways (Basic, Form, Digest, Client Cert), so I would choose Digest where the username and password are encrypted.

Https is about having a secure layer between the client and server, on that layer you can even use basic authentication....

Regards,
Frits
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Frits,

Your answer was right according to SAI but explaination was not the same.

I had marked the answer as D as I read the line

These devices have tight security requirements in their mini-browsers with locked down policies and certs.




SAI says


Java Servlet Specification, Version 2.4 (SRV.12.5)

Option A is incorrect because the user's credentials are sent in a simple base64 encoding in a request header.

Option B is incorrect because the user's credentials are sent in plain text in the request body or query string.

Option C is correct because the user's credentials are sent in a digest that is a stronger encoding than base64.

Option D is incorrect because this authentication mechanism requires the "user" to have a public key authentication. The devices will not allow them to add the SSL certs.



So what do you think?

 
Frits Walraven
Creator of Enthuware JWS+ V6
Posts: 3411
320
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok, I looked it up: HTTPS Client means Client Cert authentication (I didn't know that) which uses HTTP over SSL.

Then it makes sense given that Client Cert doesn't work because of the given phrase

devices have tight security requirements in their mini-browsers with locked down policies and certs.



Regards,
Frits
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So by this

devices have tight security requirements in their mini-browsers with locked down policies and certs.



they mean that devices certs are locked and they cannot accept any new ones.

Ok.. thanks..



 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic