Contribute to help us improve!

Are there edge cases or problems that we didn't consider? Is there a technical pitfall that we should add? Did we miss a comma in a sentence?

If you have any input for us, we would love to hear from you and appreciate every contribution. Our goal is to learn from projects for projects such that nobody has to reinvent the wheel.

Let's collect our experiences together to make room to explore the novel!

To contribute click on Contribute to this page on the toolbar.


Term definition

Term Description


Verification that somebody interacting with the system is the actual subject for whom he claims to be.


The one authenticated. There are two forms of principals that need to be distinguished:

  • human users

  • autonomous systems.


A common term used to refer to any principal even though it may not be a human.


A secret provided by the principal. The most simple form of credentials is a password.

Authentication mechanism

Basic Auth

Only secure when used via SSL secured connection. Otherwise principal and credentials are exposed!
Benefits Concerns
  • If used with SSL it is basically secure

  • Easy to implement and use

  • Stateless

  • Authentication transmission is not very secure and vulnerable to man in the middle attacks

  • Credentials can not be easily revoked

  • No anonymized login with third party possible. See JWT/OAUTH

JWT JWT tokens are usually requested from a third party (or embedded tool) via username and password. The requested token has a limited expiration and contains details about the user. Therefore, JWTs are tightly coupled with authorization as well.

Benefits Concerns
  • Very secure

  • Mechanism for external tool support

  • Authorization mechanism from external tool possible

  • Stateless

  • SSO possible

  • An issuer is needed, that creates the token. This can be a external tool, an embedded tool, or the server itself. In any case this increases the effort for setup

  • More effort in implementation

Form Login

A form login let’s the user enter the credentials on a form based website. The user is then logged in which is usually verified by an open session. devonfw recommends stateless applications. Therefore, a better and alternative approach is to let the user authenticate to a JWT issuer using the credentials returning a token that can be used for further requests.