Authenticating the User
A Java web container typically supports four methods of authentication, described in the servlet specification: HTTP basic authentication, HTTP digest authentication, HTTPS client authentication, and form-based authentication.
HTTP basic authentication is a simple and not very secure authentication scheme that I’m sure you’ve encountered. When a browser requests access to a protected resource, the server sends back a response asking for the user’s credentials (username and password). The browser prompts the user for this information and sends the same request again, but this time with the credentials in one of the request headers so the server can authenticate the user. The username and password are not encrypted, only slightly obfuscated by the well-known base64 encoding; it can easily be reversed by anyone who grabs it as it’s passed over the network. Security can be improved by using an encrypted connection between the client and the server, such as the Secure Sockets Layer (SSL) protocol.
HTTP digest authentication is a slightly more secure method introduced in HTTP/1.1. As with basic authentication, the server sends a response to the browser when it receives a request for a protected resource. But with the response, it also sends a string called a nonce. The nonce is a unique string generated by the server, typically composed of a timestamp, information about the requested resource, and a server identifier. The browser creates an MD5 checksum, also ...
Get JavaServer Faces now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
