Thursday, September 24, 2009

Another Reason Why People Don't Really Use HTTP Basic Authentication

If you are using WLS behind a Web SSO solution and you are authenticating users with BASIC AUTH, and the resources are not protected in WLS

or doing your own programmatic authentication from inside a servlet/JSP

then you need to pay attention to the enforce-valid-basic-auth setting for WLS. In version 9.2. or later, the default behavior is to attempt to validate basic credentials that the browser is sending, even if the resource is unprotected.

As an alternative, give your end-users a decent experience and give them an HTML form.

1 comment:

  1. Another reason people don't really use Basic auth is because it's truly evil. That's a judgement call, but I think it's accurate.

    When you use Basic auth your credentials fly over the wire on every request and browsers are fairly promiscuous about the URLs on the server they'll send them to without prompting. By contrast HTML forms give the developer or administrator control over the places credentials might get posted.

    There's a whole 'nother argument that can be made about Basic auth and laziness on the part of administrators, but I'll leave that for another post.


Note: Only a member of this blog may post a comment.