Basic authentication relies on standard J2EE basic authentication from the application server. When you use basic authentication to secure access to destinations, you typically secure the endpoints of the channels that the destinations use in the web.xml file. You then configure the destination to access the secured resource to be challenged for a user name (principal) and password (credentials).

For basic authentication, BlazeDS checks that a currently authenticated principal exists before routing any messages to the destination. If no authenticated principal exists, the server returns an HTTP 401 error message to indicate that authentication is required. In response to the HTTP 401 error message, the browser prompts the user to enter a user name and password. The web browser performs the challenge independently of the Flex client application. After the user successfully logs in, they remain logged in until the browser is closed.

The following example shows a security constraint definition that specifies roles for authorization:

<security-constraint id="privileged-users">
    <auth-method>Basic</auth-method>
    <roles>
        <role>privilegedusers</role>
        <role>admins</role>
    </roles>
</security-constraint>