It's not a secret anymore!*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes  authentication mechanism in mini-browsers Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark " authentication mechanism in mini-browsers" Watch " authentication mechanism in mini-browsers" New topic
Author

authentication mechanism in mini-browsers

Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
Test Question 39

Online music sales company Flash and Sizzle, Inc. is planning to develop several Internet applications that will be accessed by the new handheld mobile devices they have just released. These devices have tight security requirements in their mini-browsers with locked down policies and certs.
For these devices, which authentication mechanism is most secure?(Choose one)

A. HTTP Basic
B. Form Based
C. HTTP Digest
D. HTTPS Client

Source: SAI

What's your take?


Parth Tiwari
| Pursuing Bachelor of Engineering | OSUM Club Leader | SCJP 6 | SCWCD 5 |...
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1687
    
  25

Hi Parth,

The first three options are amongst the four possible authentication ways (Basic, Form, Digest, Client Cert), so I would choose Digest where the username and password are encrypted.

Https is about having a secure layer between the client and server, on that layer you can even use basic authentication....

Regards,
Frits
Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
Hi Frits,

Your answer was right according to SAI but explaination was not the same.

I had marked the answer as D as I read the line
These devices have tight security requirements in their mini-browsers with locked down policies and certs.



SAI says

Java Servlet Specification, Version 2.4 (SRV.12.5)

Option A is incorrect because the user's credentials are sent in a simple base64 encoding in a request header.

Option B is incorrect because the user's credentials are sent in plain text in the request body or query string.

Option C is correct because the user's credentials are sent in a digest that is a stronger encoding than base64.

Option D is incorrect because this authentication mechanism requires the "user" to have a public key authentication. The devices will not allow them to add the SSL certs.


So what do you think?

Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1687
    
  25

Ok, I looked it up: HTTPS Client means Client Cert authentication (I didn't know that) which uses HTTP over SSL.

Then it makes sense given that Client Cert doesn't work because of the given phrase
devices have tight security requirements in their mini-browsers with locked down policies and certs.


Regards,
Frits
Parth Twari
Ranch Hand

Joined: Jan 20, 2010
Posts: 163
So by this
devices have tight security requirements in their mini-browsers with locked down policies and certs.


they mean that devices certs are locked and they cannot accept any new ones.

Ok.. thanks..



 
GeeCON Prague 2014
 
subject: authentication mechanism in mini-browsers