The HTTP Basic Authentication Trust Association Interceptor

The HTTP Basic Authentication Trust Association Interceptor (TAI) can be used to authenticate incoming requests using the HTTP Basic Authentication Protocol described in RFC 2617. This can be useful for clients that are not capable of doing HTTP form-based authentication.

In general, HTTP Basic Authentication has the following two main disadvantages compared to HTTP Form based authentication:

• With HTTP Basic Authentication, the Web client sends the user ID and password information used for authentication with each individual request to the IBM WebSphere Application Server. This typically requires using transport layer security (SSL) for the complete portal related network traffic. Otherwise the user password is exposed on the network. Compared to this, when we use HTTP form based authentication, it can be sufficient that we use the transport layer security to cover only the user login flow.

• With HTTP Basic authentication the Web client sends the user credentials with each request, therefore, users cannot log out from the portal except by completely closing the Web client.

  For example, if a user logs out of the portal and leave the browser open, another user might be able to access pages that the first user visited previously.

If the HTTP Basic Authentication TAI is enabled, it decides on every incoming request whether it is responsible for the authentication on that request or not. This decision is based on black and white lists for the requested URL and the client's user agent. The TAI is responsible only if none of the patterns in the black lists match and at least one of the patterns in one of the white lists match. If the TAI is configured with empty white lists, it will never authenticate a request.

If the TAI decides to authenticate the request and that request contains an authorization header containing a user ID and password, the TAI tries to log on wito that credential. If no user ID and password is provided, the TAI will challenge the client according to RFC 2617.

Parent: Enable HTTP Basic Authentication for simple clients
Related:
HTTP Basic Authentication Trust Association Interceptor in combination with external authentication servers
Related:
Configure the HTTP Basic Authentication Trust Association Interceptor
Reference: Properties for the Trust Association Interceptor
Enable the HTTP Basic Authentication Trust Association Interceptor
Related:

RFC 2617