The Workshop is designed to help you review what you have learned and help you further increase your understanding of the material covered in this hour.
What is BASIC authentication?
What is the difference between the FORM and BASIC authentication methods?
Which authentication method is most suitable for protecting sensitive information?
BASIC authentication is a simple authentication method that is built into HTTP. When a client requests a resource, the server challenges the client by asking for an identifier and password using a standard HTTP response code. It's only useful for the most basic security.
FORM-based authentication allows the container to participate in authentication and authorization. The container serves a form to the client that is used to submit an identifier and password. Once a client is authenticated, the application can obtain information about the client such as its role. In this way, FORM authentication is more useful that BASIC authentication.
DIGEST will do a reasonable job protecting a user's password. Using CLIENT-CERT will provide the best guarantee that a client is who he claims to be. By themselves, neither will protect the data, since that is a function of the user-data-constraint element. To ensure that data exchanged between a client and an application is secure, you should use user-data-constraint with a transport-guarantee attribute value of CONFIDENTIAL.
Modify the last practice activity from Hour 20 to use FORM-based authentication and to check security roles programmatically.