Question 10 of final exam:
You have determined that certain capabilities in your web application will require that users be registered members. In addition, your web application sometimes deals with users data that your users want you to keep confidential.
Which are true?
Option B. Of the various types of authentication guaranteed by a Java EE container, only BASIC, Digest, and Form Based are implemented by matching a user name to a password.
Option C. No matter what type of Java EE authentication mechanism you use, it will only be activated when an otherwise constrained resource is requested.
The correct answer provided is C.
But I think the correct answer is B instead.
Reason:
1. Basic, Digest and Form authentications are implemented by a username/password.
With Digest, username/password are used and the password is hashed according to session 13.6.2.
With HTTPS client authentication, the client presents a certificate to the server.
So, I think option B is correct as it says "only Basic, Digest and Form based are implemented by matching a username to a password.
2. "No matter what type of
Java EE authentication mechanism you use, it will only be activated when an otherwise constrained resource is requested."
I think authentication mechanism is activated when the usernames / passwords are specified in a vendor specific deployment descriptor, such as tomcat-users.xml
Authorization mechanism is activated when security constraints are specified in web.xml