JBridge: Certification Question Of The Day

JBridge Home >> Certification Questions >> Question for Thursday May 29th 2003

Thursday May 29th 2003

Identify the false statements about authentication in the following list. (2 correct answers).

A There are four types of authentication which can be configured in the web-deployment descriptor.
B FORM-based authentication is always more secure than BASIC authentication.
C CLIENT-CERT authentication is always more secure than DIGEST authentication.
D DIGEST authentication is always more secure than BASIC authentication.
E The CONFIDENTIAL authentication type is specified in the <transport-guarantee> element of the deployment descriptor.
Page down for the answer...

The Answer

Statements B and E are false, and therefore the correct answers.
Regarding E, authentication type is configured in the <auth-method> element. <transport-guarantee> has to do with using SSL to encrypt all traffic between client and server, and CONFIDENTIAL is a valid value - it's just not a type of authentication.
B is a more contentious false statement. If FORM-based authentication is used without SSL, then the user and password values are passed in plain text across the network. BASIC authorisation at least puts in place some rudimentary encryption for these values. So there are circumstances when BASIC authentication, weak as it is, is more secure than FORM authentication.
There are indeed four types of authenication (BASIC, DIGEST, FORM and CLIENT-CERT), and it's true that BASIC is less secure than DIGEST is less secure than CLIENT-CERT. This covers the "true" statements.

EMail: dbridgewater@jbridge.co.uk
Phone: +44 (0)1943 877414
Fax: +44 (0)1943 877414
Mail: David Bridgewater, Willow Dene, Bradford Road, Menston, Ilkley, West Yorkshire, LS29 6ED, UK
Copyright © 2003 David Bridgewater. All rights reserved.