https://bz.apache.org/bugzilla/show_bug.cgi?id=65820
--- Comment #5 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to joao.paulo.martins from comment #4) > Even so it is considered an unsecure approach using http basic > authentication, might worth a change. [*] citation needed HTTP Basic Authentication is perfectly secure as long as you are using HTTPS. In fact, it's almost *exactly* as secure as FORM-based authentication, since the credentials are being sent across the wire in plain text in either case (without HTTPS). The only downside is that there is no way to expire the session on the server-side because most clients will cache those credentials until you terminate them (and most people leave their browsers running for days or weeks at a time). It's certainly possible to switch-over to FORM-based authentication. If it's important to you, are you interested in preparing a pull-request/patch for that capability? Remember that it also needs to continue to work for non-human clients (such as CLI-based uses of the Manager) and must have properly internationalization. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
