Basic Authentication Forms

[thiruvasagamani]

Basic Authentication

The following topic explains how to secure a web resource using basic authentication.

Basic authentication involves a two part challenge to candidate users. (1) Basic authentication requires users to provide a valid username/password pair before they can access a web resource. (2) It also requires that users have been granted the appropriate role membership before they can access the resource. The web resource can be any web-accessible component, such as a web application, web service, or an individual JSP page.

When a user requests a web resource protected by basic authentication, first the user is redirected to a login window where he enters his username and password. If he fails to provide a valid username and password, then he is denied access to the resource. If he provides a valid username/password pair, he graduates to the second (role-based) challenge. If the user has not been granted the required role, then he is denied access to the resource (even if he provides a valid username and password). If he has been granted to required role, then he is granted access to the resource.

In basic authentication, the browser provides the login window and it cannot be customized. If you require a customizable login page use Form Authentication.

Note: you should not use basic authentication (or form authentication) to secure individual JSP pages or action methods within a page flow directory. After collecting a username and password, basic authentication redirects the user to the requested resource. But redirection into a page flow directory always fails, because the page flow's begin() action method is always invoked when a new user enters the page flow. However, it is appropriate to secure an entire page flow directory using basic or form authentication.

To secure a web resource using basic authentication, you must complete the following steps:

   1.Specify the web resources to be protected

   2.Specify the roles that can access the web resource

   3.Specify basic authentication as the method of protection

   4.Declare the security roles referenced in step 2

   5.Assign security roles to principals (groups and individual users)