It's not good security practice to pass the username and password in the URI when the point of SSL is to prevent that information from being intercepted. Putting that information in the URI makes it interceptable. HTTPS-Posted values are safe because values passed in the headers are sent after the SSL handshake has been completed.