Why avoid HTTP Authentication?

awhitford Jun 4, 2007 7:52 PM

From 12.4.7. HTTP Authentication, the Seam docs say:

Although not recommended for use unless absolutely necessary, Seam provides means for authenticating using
either HTTP Basic or HTTP Digest (RFC 2617) methods.

Can someone elaborate on why HTTP authentication is meant to be avoided?

1. Re: Why avoid HTTP Authentication?

modoc Jun 4, 2007 8:07 PM (in response to awhitford)

The lack of logoff ability (short of closing the browser) is one issue. You also have to pass the auth headers with each request, instead of having auth linked to a session (is this true with jboss? I don't know for sure.)

And for customer/user facing applications, having a login form integrated within your design is usually preferable.

Those are my thoughts at any rate...
Actions
2. Re: Why avoid HTTP Authentication?

hstang Jun 4, 2007 8:18 PM (in response to awhitford)

Here's a resource on this topic.

http://pdf.moreservlets.com/More-Servlets-and-JSP-Chapter-07.pdf
Actions

Go to original post