HTTP basic authentication
HCL Digital Experience provides a trust association interceptor (TAI) for HTTP Basic Authentication to allow simple clients, such as WebDAV, to connect. HTTP Basic Authentication is not as secure as form-based login via HTTPS with LTPA for SSO. Basic authentication base-64 encodes the user ID and password and submits them with every request. Base-64 encoding is not secure and can be trivially decoded.
Recommended actions and considerations
-
Disable the HTTP Basic Authentication TAI if you are not using WebDAV (e.g. to manage custom themes). Do so by setting enabled=false.
- Consider enabling this TAI on an as-needed basis (e.g. when deploying themes, installing maintenance).
-
If you require the HTTP Basic Authentication TAI, tightly restrict which requests the TAI will attempt to authenticate, preferably with the configuration parameters:
-
userAgentWhiteList
-
urlWhiteList
-
-
Note that WebDAV/HTTPS is not supported. Consider the security of your network when deciding where to run the WebDAV client, knowing that IDs and passwords may be transmitted while only base-64 encoded.
-
Syndication relies on basic authentication, as provided by WebSphere Application Server. It can function over SSL and should be configured to do so, considering the security of the network.