Basic authentication’s only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the
thinnest veil of protection to your users, and should not be used.
Noncompliant code example
// in web.xml
<web-app ...>
<!-- ... -->
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
Exceptions
The rule will not raise any issue if HTTPS is enabled, on any URL-pattern.
<web-app ...>
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPS enabled</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>