Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Form based authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Form based authentication" Watch "Form based authentication" New topic
Author

Form based authentication

shankar valiinaykam
Greenhorn

Joined: Jan 21, 2005
Posts: 23
Hi,

P-700; Q-1 says Form based authentication is recommended only if cookies or SSL session tracking is enabled. Why is it like this, when URL rewriting is there to save us?

In security roles, i find one combination missing. If two security constraints are there for same resource as "*" and nobody <auth-constraint/> then who rules? Is it "everybody" or "nobody"?
My guess is : Nobody. Somebody, plz confirm.

Thanks,
Shankar
shankar valiinaykam
Greenhorn

Joined: Jan 21, 2005
Posts: 23
Oooops!!! I wanted to write P-667 and Q-9.
Daniel Spaethe
Greenhorn

Joined: Dec 06, 2003
Posts: 15
From my understanding, the reason they indicate that form based authentication should only be used wihen SSL session tracking is enabled is that out of the 4 types, BASIC, CLIENT-CERT, DIGEST and FORM, FORM is the least secure. The other 3 types provide at least some type of encryption.


As for your other qustion, an empty <auth-constraint/> tag will combine with anything else and will allow "nobody".

Dan


SCJP 5.0<br />SCJP 1.4<br />SCWCD 1.4<br />SCBCD 1.3
Daniel Spaethe
Greenhorn

Joined: Dec 06, 2003
Posts: 15
Sorry, meant to say that the FORM is the least secure of all:
BASIC - is encoded, but not encrypted. base 64
DIGEST - not widley used.. but more secure than BASIC
CLIENT-CERT - clients need a certificate on their side.
FROM - least secure of all 4
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Form based authentication