HTTP AUTHENTICATION
“The main four types of authentication”
→ HTTP Basic Authentication
→ HTTP Digest Authentication
→ Form Based Authentication
→ HTTPS Client Authentication
HTTP Basic Authentication :- Basic authentication, which based on a username and password, is the authentication mechanism defined in the HTTP/11.0 specification. Authentication does not have to reflect any particular security policy domain. Basic Authentication is not a secure authentication as user passwords are sent in simple base64 ENCODING (NOT ENCRYPTED!)
HTTP Digest Authentication :- HTTP Digest Authentication authenticates a user based on a username and a password. However authentication is performed by transmitting the password in an ENCRYPTED form, which is much more SECURE then the simple base64 encoding.The advantage of the method is that the clear text password is protected in the transmission, it cannot be determined from the digest that is submitted by the client to the server.
Form Based Authentication :- This form Based Authentication mechanism allow a developer to CONTROL the look and feel of the login screens. The web application deployment descriptor, contains entries for a login form and error page. The login form contain fields for entering a username and a password. These fields must be named J_username and J_password, respectively.
HTTPS Clients Authentication :- End user authentication using HTTPS (HTTPS over SSL ) is a strong authentication mechanism. This mechanism request the user to possess a Public Key Certificate. Servlet containers that are not J2EE technology compliant are not required to support the HTTPS protocol. Client -Certificate authentication is more secure method of authentication than either BASIC or FORM authentication. It uses HTTP over SSL, in which the serer and optionally, the client authenticate one another with Public Key Certificate.
