[jboss-jira] [JBoss JIRA] (WFLY-1408) Basic Authentication does not mention SSL

floyd floyd (JIRA) jira-events at lists.jboss.org
Wed May 29 02:52:54 EDT 2013 

     [ https://issues.jboss.org/browse/WFLY-1408?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

floyd floyd updated WFLY-1408:
------------------------------

    Description: 
In the following documentation Basic Authentication is suggested. I have two comments:

- The documentation should clearly state that SSL (so HTTPS) should be used when using Basic Authentication or Digest Authentication. Usernames and Passwords will be sent in Cleartext in every single HTTP request to the server if SSL is not used. Which is clearly a big security issue.
- The documentation should suggest Digest authentication rather than Basic authentication.

https://docs.jboss.org/author/display/WFLY8/WS-Security#WS-Security-Authenticationandauthorization

The same problem exists for the AS7 documentation:

https://docs.jboss.org/author/display/AS7/Developer+Guide#DeveloperGuide-ConfigureSecurityforBasicAuthentication

  was:
In the following documentation Basic Authentication is suggested. I have two comments:

- The documentation should clearly state that SSL (so HTTPS) should be used when using Basic Authentication or Digest Authentication. Usernames and Passwords will be sent in Cleartext in every single HTTP request to the server if SSL is not used. Which is clearly a big security issue.
- The documentation should suggest Digest authentication rather than Basic authentication.



    
> Basic Authentication does not mention SSL
> -----------------------------------------
>
>                 Key: WFLY-1408
>                 URL: https://issues.jboss.org/browse/WFLY-1408
>             Project: WildFly
>          Issue Type: Bug
>          Components: Documentation
>            Reporter: floyd floyd
>            Assignee: Tom Wells
>
> In the following documentation Basic Authentication is suggested. I have two comments:
> - The documentation should clearly state that SSL (so HTTPS) should be used when using Basic Authentication or Digest Authentication. Usernames and Passwords will be sent in Cleartext in every single HTTP request to the server if SSL is not used. Which is clearly a big security issue.
> - The documentation should suggest Digest authentication rather than Basic authentication.
> https://docs.jboss.org/author/display/WFLY8/WS-Security#WS-Security-Authenticationandauthorization
> The same problem exists for the AS7 documentation:
> https://docs.jboss.org/author/display/AS7/Developer+Guide#DeveloperGuide-ConfigureSecurityforBasicAuthentication

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list