O'Reilly logo

JavaServer Faces by Hans Bergsten

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Authenticating the User

A Java web container typically supports four methods of authentication, described in the servlet specification: HTTP basic authentication, HTTP digest authentication, HTTPS client authentication, and form-based authentication.

HTTP basic authentication is a simple and not very secure authentication scheme that I’m sure you’ve encountered. When a browser requests access to a protected resource, the server sends back a response asking for the user’s credentials (username and password). The browser prompts the user for this information and sends the same request again, but this time with the credentials in one of the request headers so the server can authenticate the user. The username and password are not encrypted, only slightly obfuscated by the well-known base64 encoding; it can easily be reversed by anyone who grabs it as it’s passed over the network. Security can be improved by using an encrypted connection between the client and the server, such as the Secure Sockets Layer (SSL) protocol.

HTTP digest authentication is a slightly more secure method introduced in HTTP/1.1. As with basic authentication, the server sends a response to the browser when it receives a request for a protected resource. But with the response, it also sends a string called a nonce. The nonce is a unique string generated by the server, typically composed of a timestamp, information about the requested resource, and a server identifier. The browser creates an MD5 checksum, also ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required