✅ Short Answer:
In servlets, there are four standard authentication methods, defined by the Servlet Specification (web.xml or annotations).
| Method | Description |
|---|---|
| 1. Basic Authentication | Simple login popup from the browser (username/password sent base64-encoded). |
| 2. Digest Authentication | Like Basic but sends passwords hashed (more secure than Basic). |
| 3. Form-Based Authentication | Custom HTML login form and error pages. |
| 4. Client Certificate Authentication | Authentication using SSL certificates instead of username/password. |
✅ Let’s explain each method more:
1. Basic Authentication
- Server sends back
401 Unauthorized+WWW-Authenticateheader. - Browser shows a built-in popup asking for username and password.
- Credentials sent encoded in Base64 (⚠️ not encrypted unless using HTTPS).
web.xml setup:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>Result: Browser displays a native username/password popup.
✅ Simple, but ⚠️ unsafe unless used over HTTPS.
2. Digest Authentication
- Works like Basic Authentication but hashes passwords before sending.
- More secure because credentials are not directly exposed even if someone intercepts the network traffic.
web.xml setup:
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
✅ Safer than Basic.
⚠️ Still needs HTTPS ideally for full protection (to avoid replay attacks).
3. Form-Based Authentication
- You design your own login HTML page (beautiful and flexible).
- Server handles authentication behind the scenes.
- If login fails, redirects to a custom error page.
web.xml setup:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login-error.html</form-error-page>
</form-login-config>
</login-config>
✅ Flexible (you control UI).
✅ Works well for modern websites.
⚠️ Still needs HTTPS to protect form submission.
4. Client Certificate Authentication
- The client (browser) presents a digital certificate instead of entering username/password.
- Server verifies the client’s certificate over mutual TLS (mTLS).
web.xml setup:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
✅ Very secure.
✅ Used in financial services, B2B apps.
⚠️ Complex setup (client certificates must be installed on the user’s machine).
✅ Also: Programmatic Authentication (Servlet 3.0+)
Since Servlet 3.0, you can manually trigger login from your servlet!
request.login(username, password);
And to log the user out:
request.logout();
✅ More control for developers.
✅ Useful for custom login pages, APIs, etc.
🔥 Quick Table to Remember:
| Method | User Experience | Security | Use Case |
|---|---|---|---|
| Basic | Browser popup | Low (needs HTTPS) | Simple intranet apps |
| Digest | Browser popup (hashed) | Medium (better than Basic) | Legacy secured apps |
| Form | Custom login page | Good (with HTTPS) | Modern websites |
| Client Certificate | Certificate prompt | Very high | B2B, banking, secure APIs |
✨ Visual Overview:
Client → [Basic] Username/Password in popup → Server
Client → [Digest] Hashed Username/Password → Server
Client → [Form] Custom Form Submit → Server
Client → [Client Cert] Sends Certificate → Server
✅ Bonus Tip:
- Always use HTTPS no matter which method you choose.
- You can combine Form Authentication + programmatic login/logout for flexible, professional systems.
✅ Final Quick Summary:
| Feature | Recommendation |
|---|---|
| Easiest to setup | Basic (for very small apps) |
| Best for nice UI | Form-Based |
| Strongest security | Client Certificate |
| Most control | Programmatic login/logout |