aspose file tools*
The moose likes Web Services Certification (SCDJWS/OCEJWSD) and the fly likes About Form based authentication vs Basic authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Services Certification (SCDJWS/OCEJWSD)
Bookmark "About Form based authentication vs Basic authentication" Watch "About Form based authentication vs Basic authentication" New topic
Author

About Form based authentication vs Basic authentication

Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 758
In EPractice Lab, a question " Which of the following values of the <auth-method> element will rely on browser-specific login mechanisms?"
a. Basic
b. Form
c. Kerberos
d. Client-cert
e. server-cert
f. digest

I believe the answer should be b. Form. According to J2EE tutorial,

Specifying HTTP basic authentication requires that the server request a user name and password from the web client and verify that the user name and password are valid by comparing them against a database of authorized users in the specified or default realm.



Form-based authentication allows the developer to control the look and feel of the login authentication screens by customizing the login screen and error pages that an HTTP browser presents to the end user. When form-based authentication is declared, the following actions occur.


But the given answer is a.Basic.
Steve Luke
Bartender

Joined: Jan 28, 2003
Posts: 4181
    
  21

Form based authentication requires the developer to create a form. The developer, and not the browser, is responsible for naming the fields, determining what it looks like, how it gets sent to the server, etc... So I wouldn't say that is browser-specific at all. Basic authentication, however, doesn't require (or let) the developer to create a form. The username and password are collected by the browser itself - this could be via a modal dialog, a pop-up window, saved credentials, or some other means. In any case the implementation is out of the web app developer's hands and in the hands of the browser - each browser will likely do it slightly different and and have different looks/methods of getting the input (and perhaps may not support it?). So since this form of authentication relies on what the browser does, not HTML or other code the web developer produces, and because it is possible to change from one browser to another it is a browser-specific mechanism.


Steve
Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 758
Thanks for your clarification.
So, when username and password are collected from a browser, they are encoded and put in the HTTP's "Authorization" header.
It does not matter what browser it is and how the browser implements the credential collection, the credentials will end up in the Authorization HTTP header.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: About Form based authentication vs Basic authentication