Workshop
The Workshop is designed to help you review what you have learned and help you further increase your understanding of the material covered in this hour.
Quiz
| 1: | What is BASIC authentication? | | 2: | What is the difference between the FORM and BASIC authentication methods? | | 3: | Which authentication method is most suitable for protecting sensitive information? |
Answers | | | A1:
| BASIC authentication is a simple authentication method that is built into HTTP. When a client requests a resource, the server challenges the client by asking for an identifier and password using a standard HTTP response code. It's only useful for the most basic security. | | | | A2:
| FORM-based authentication allows the container to participate in authentication and authorization. The container serves a form to the client that is used to submit an identifier and password. Once a client is authenticated, the application can obtain information about the client such as its role. In this way, FORM authentication is more useful that BASIC authentication. | | | | A3:
| DIGEST will do a reasonable job protecting a user's password. Using CLIENT-CERT will provide the best guarantee that a client is who he claims to be. By themselves, neither will protect the data, since that is a function of the user-data-constraint element. To ensure that data exchanged between a client and an application is secure, you should use user-data-constraint with a transport-guarantee attribute value of CONFIDENTIAL. |
Activity
Modify the last practice activity from Hour 20 to use FORM-based authentication and to check security roles programmatically.
 |
