© Copyright Marcus Green 2007

Objective 3) Comparing authentication typesy

5.3)Compare and contrast the authentication types (BASIC, DIGEST, FORM, and CLIENT-CERT); describe how the type works; and given a scenario, select an appropriate type.

Declarative security

The JSP/Servlet specification supports declarative security via the deployment descriptor (WEB.XML). This means that instead of embedding security details within the body of your servlet or JSP via method calls, it can be defined within the XML tags of the deployment descriptor. The benefit of this is that it needs to only be done once for any number of JSP/Servlets and it is less prone to error, as there is no chance of a programmer forgetting to put in calls to the security system.

The Servlet specification defines several different authentication methods. The method chosen is declared via the auth-method tag within the login-config tag of the deployment descriptor.

BASIC authentication

The following code shows a deployment descriptor defined to use BASIC authentication.

   <realm-name>Basic Authentication Example</realm-name>

Basic authentication is defined by the HTTP 1.1 specification. When a browser attempts to access a protected resource, the server prompts for a username and password. You will recognise this type of security from the generic (ugly) dialog that is produced automatically by the container. This is the same type of security that can be implemented in the Apache web server via the .htaccess file. Although BASIC authentication is easy to implement it offers an absolute minimum of security. The username and password are not encrypted in any way.

BASIC authentication is easy to set up but the forms are ugly and there is no encryption security

Digest authentication

The advantage of Digest over Basic authentication is that it is more secure because the login information is encrypted. Unfortunately this encryption system is not widely used and J2EE containers are not required to support it. To limit its value even further it is not supported by all web browsers. According to a document from Apache org

In particular, Opera 4.0 or later, Microsoft Internet Explorer 5.0 or later, Mozilla 1.0.1 and Netscape 7 or later as well as Amaya support digest authentication, while various other browsers do not.”


Another strike against Digest is that although it does offer some encryption based security, the encryption is not considered particularly strong and so if you really want your data to be secure you need to use SSL.

Digest security is not considered strong and Digest in not supported by all browsers.

FORM authentication (SRV.12.5.3)

FORM based authentication is very similar to BASIC authentication and thus brings most of the disadvantages, i.e. no encryption. On the upside it is easy to set up, is supported by all browsers and most importantly it allows you to create your own customised look and feel for the login form. This is a big improvement on the rather ugly system generated form that is displayed with BASIC based authentication.

To user FORM authentication the form is required trigger an action called j_security_check and the userid and password must have the names j_username and j_pssword. The following code illustrates an absolute minimal version of the form required.

<form method="post" action="/j_security_check">
    Username: <input type="text" name="j_username">
    Password: <input type="password" name="j_password">
    <input type="submit" value="Login">

When configuring the deployment descriptor for FORM based authentication the name of the login form and any error page is configured under the <form-login-config> tags. The following shows how this can be done.

        <realm-name>FORM Authentication Example</realm-name>

Form authentication allows better looking login forms than BASIC, but still has no security

CLIENT-CERT authentication

CLIENT-CERT authentication uses HTTPS (HTTP secure) which is a protocol that uses HTTP over SSL (Secure Sockets Layer). This is an encryption protocol that ensures the privacy of data sent over the connection. All data is sent in an encrypted form using public-key cryptography. Although this system requires explicit support from the browser, every mainstream browser includes this support. Most browsers show an icon to indicate that the current connection is using SSL, in MS Internet Explorer this is a small padlock and with FireFox/Mozilla it is an image of a padlock.

Client Cert authentication has good security, but it is complex to implement and maintain

Other sources

Java Servlet Authentication by David Geary

The ietf rfc on Basic and Digest authentication

Apache on authentication

Description of HTTPS

This objective according to Mikalai Zaikin