Basic Authentication and Form based Authentication

What are Basic Authentication and Form Based Authentication? And Kerberos Single sign-on

 Basic authentication and Form based authentication allow a user to authentication to a server via a browser. Both these authentication mechanisms use the HTTP/HTTPS protocols with HTTPS being the secure channel. Basic authentication is formally defined in an RFC (there is no RFC for Form based authentication). Both authentication mechanisms will allow a remote user to authenticate to a server. However, Basic authentication does not use cookies, hence there is no concept of a session or loggin out a user. Form based authentication are implemented via HTML forms which have username and password fields for a user to enter and send over to the remote server for authentication. Form based authentication use cookies for session management so user logout can be controlled.

 Another popular browser based authentication is via Kerberos Single Sign-on which allows a user to login to trusted website seamlessly via single sign on. In order to enable or use Kerberos browser based authentication, kerberos authentication must be enabled at the remote server and the user on his client computer must be authenticated to Active Directory via kerberos authentication with a valid Kerberos Ticket Granting Ticket (TGT). In addition the browser on the user's client computer should be configured to support kerberos authentication, i.e Integrated Windows authentication should be enabled in the Internet Explorer (IE) browser settings. (Note: Both IE, chrome support kerberos SSO).

 With IE browser, a user can authenticate to the remote web server seamlessly with single sign on, meaning the user will not be challenged to enter his credentials. The browser with negotiate and provide the required credentials using the user's kerberos TGT, provided the user has already authenticated to the Active Directory with a valid TGT ticket and the browser settings have been configured/enabled.

 Note: When implementing kerberos based authentication in your network with IE browser, you may need to also implement a fall back mechanism when users do not use IE browser or a browser that does not support kerberos. In that case the fall back mechanism of Form based authentication can be used.

Here is a reference which explains the difference between Basic and Form based authentication
QUESTION
What is the difference between "basic authentication" and "form-based authentication"?
ANSWER
Basic authentication, or “basic auth” is formally defined in the Hypertext Transfer Protocol standard, RFC 1954. When a client (your browser) connects to a web server, it sends a “WWW-Authenticate: Basic” message in the HTTP header. Shortly after that, it sends your login credentials to the server using a mild obfuscation technique called base64 encoding. When HTTPS is used, these credentials are protected, so it’s not considered insecure, which is why basic auth gained widespread use over the years. The biggest problem with basic auth has to do with the logging off the server, as most browsers tend to cache sessions and have inconsistently dealt with the need to properly close and clear connection states (or sessions) so that another (different) user couldn’t log back in by refreshing the browser.
Form-based authentication is not formalized by any RFC. In essence, it is a programmatic method of authentication that developers create to mitigate the downside of basic auth. Most implementations of form-based authentication share the following characteristics:
1) They don’t use the formal HTTP authentication techniques (basic or digest).
2) They use the standard HTML form fields to pass the username and password values to the server.
3) The server validates the credentials and then creates a “session” that is tied to a unique key that is passed between the client and server on each http put and get request.
4) When the user clicks “log off” or the server logs the user off (for example after certain idle time), the server will invalidate the session key, which makes any subsequent communication between the client and server require re-validation (resubmission of login credentials via the form) in order to establish a new session key.
As with basic auth, form-based auth does not protect login credentials when connected over HTTP, therefore it is not more “secure” than basic auth in how it handles user credentials. It is however more secure when it comes to properly logging the user off after a certain period of inactivity or if the user no longer requires use of the system and decides to log out.
For details of basic auth and form-based auth in EFT Server, refer to End-User Log In to EFT Server.
-----------------------------------------------------------------------


Great post and basics   http://fusionsecurity.blogspot.com/2011/04/oam-11g-single-sign-on-and-oam-11g.html
Identity propagation flow in OAM, and OSB  http://fusionsecurity.blogspot.com/2010/03/identity-propagation-in-flow-involving.html google search   (what is difference between basic authentication and form based authentication)
--------------------------


Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Image
Recently we got a OVA file for a virtual machine. The vendor instructions were to import the ova file in vmware Workstation, Player for Windows/Linux, Fusion for Mac, and VirtualBox as well.  The instructions were to take the available package and launch the VM with VMware workstation. The package contained  Module.mf, Module.ovf and Module-disk.vmdk and a Module.ova file. The .mf and .ovf file were 2 KB each whereas the vmdk was several gigs. The package also contained a Module.ova file which was several gigs as well. OVF           Open Virtualization Format MF             Manifest file VMDK       Virtual Machine Disk OVA           Open Virtualization Appliance The ovf file is a xml file that contains metadata for the ovf package The mf file contains the SHA1 hash codes of all files in the package The vmdk file is the disk image of the virtual machine,  VMware Workstation or VirtualBox. (vmdk format was originally developed by VMware and is an open format now). All of
Read more

SOAPUI - import certificate

Image
Note: SoapUI has two versions, one is open source and second Professional version. The open source can be download here . (confirmed link 12/19/2018). SSL Handshake issue:   There is an Issue in SoapUI version 5.3.0 (and 5.2.0 version) with SSL handshake error. It was resolved by updating below in vmoptions file ( refer here ). However, the error that shows up while trying to load wsdl is "Error loading WSDL" as below The fix is to Enable TLS 1.2 protocol for SOAP/REST calls in SoapUI, by ammending the vmoptions file to add the directive for TLS as (-Dsoapui.https.protocols=TLSv1.2). Refer here . Update: Version 5.5.0 does not have this issue. If you are on 5.3.0 better upgrade to 5.5.0 which is available now (Feb 2019). I had above issue as well as another issue reaching to https endpoint. Upgrade to 5.5.0 resolved issue. Select "Check for updates" under the Help menu and you will get option for upgrade. Select upgrade current version and accept all defaul
Read more

Centrally Managed Users (CMU) - New Feature in Oracle Database 18c

Image
Centrally Managed Users (CMU) Centrally Managed Users or CMU is a new feature introduced since Oracle DB 18c which allows simplified database user management through integration with Microsoft Active Directory (AD). Beginning with Oracle Database release 18c, version 18.1 and later supports direct integration with Microsoft Active Directory (AD) using the new centrally managed users capability. CMU allows the Oracle database to perform user authentication and authorization directly against AD. Benefits of CMU With centrally managed users, users accessing the database can be centrally managed to improve an organization's security posture. An enterprise user (a user in Microsoft Active Directory) can be exclusively mapped to a database account, or many enterprise users (in an Microsoft Active Directory group) can be mapped to a shared account in the database. Microsoft Active Directory groups can also be mapped to a database global role, which provides users with additional privilege
Read more