HTTP Authentication

In the context of HTTP transaction, when you try to access a protected web resource, the web container activates the authentication mechanism that has been configured for that resource.
You can specify the following authentication mechanisms:

* HTTP basic authentication
* Form-based login authentication
* Client certificate authentication
* Mutual authentication
* Digest authentication

HTTP basic authentication:
As the name implies, it is the simplest method of authentication and for a long time was the most common authentication method used.

Hope this is useful! Enjoy!


With basic authentication, the following steps occur:

1. A client will request to access a protected resource.
2. The web server returns a dialog box as a response to the client request that requests the user name and password.
3. The client submits the user name and password to the server.
4. The server validates the credentials in the specified realm and, if successful, returns the requested protected resource.

HTTP basic authentication is not particularly secure. Basic authentication sends user names and passwords over the Internet as text that is uu-encoded (Unix-to-Unix encoded) but not encrypted.


Form-based login authentication:
Form-based authentication works like basic authentication, except that you specify a login page that is displayed instead of a dialog and an error page that's displayed if login fails. Also form-based authentication allows you to control the look and feel of the login page.

With form-based authentication, the following steps occur:

1. A client will request to access a protected resource.
2. If the client is unauthenticated, the server redirects the client to a login page.
3. The client submits the login form to the server.
4. The server attempts to authenticate the user.
1. If the authentication succeeds, the authenticated user’s principal is checked to ensure it is in a role that is authorized to access the resource. If the user is authorized, the server redirects the client to the resource using the stored URL path.
2. If authentication fails, the client is forwarded or redirected to an error page.

Like basic authentication, form-based authentication is not secure because passwords are transmitted as clear text.

Client certificate authentication:
HTTPS Client Authentication requires the client to possess a Public Key Certificate (PKC). If you specify client authentication, the web server will authenticate the client using the client’s public key certificate.

HTTPS Client Authentication is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL (HTTPS), in which the server authenticates the client using the client’s Public Key Certificate (PKC). Secure Sockets Layer (SSL) technology provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. You can think of a public key certificate as the digital equivalent of a passport. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer.


Mutual authentication:
The server and the client authenticate each other in mutual authentication. There are two types of mutual authentication:

1. Certificate-based mutual authentication
2. User name-password-based mutual authentication

In certificate-based mutual authentication, the following steps occur:

1. A client requests access to a protected resource.
2. The web server presents its certificate to the client.
3. The client verifies the server's certificate.
4. If successful, the client sends its certificate to the server.
5. The server verifies the client's credentials.
6. If successful, the server grants access to the protected resource requested by the client.

In user name-password-based mutual authentication, the following steps occur:

1. A client requests access to a protected resource.
2. The web server presents its certificate to the client.
3. The client verifies the server's certificate.
4. If successful, the client sends its user name and password to the server, which verifies the client's credentials.
5. If the verification is successful, the server grants access to the protected resource requested by the client.


Digest authentication:
HTTP digest authentication is like HTTP basic authentication. HTTP digest authentication authenticates a user based on a user name and a password. However, the authentication is performed by transmitting the password in an encrypted form which is much more secure than the simple base64 encoding used by basic authentication.

With digest-based authentication, the following steps occur:

1. A client will request to access a protected resource.
2. The web server returns a dialog box as a response to the client request that requests the user name and password.
3. The client submits the user name and password to the server.
4. The server validates the credentials in the specified realm and, if successful, returns the requested protected resource.