Let’s start with a look at the communications that occur between a browser and a web container when the client asks for a secure resource on the web site. It’s BASIC, really.
The HTTP perspective...
1 The browser makes a request for a web resource, “update.jsp”.
2 The server determines that “update.jsp” is a constrained resource.
3 The container sends back an HTTP 401 (“Unauthorized”), with a www-authenticate header and realm information.
4 The browser gets the 401, and, based on the Realm info, asks the user for his username and password.
5 The browser asks for “update.jsp” again (stateless, remember), but this time the request includes a security HTTP header, and a username and password.
6 The Container verifies that the username and password match, and if they do, performs authorization.
7 If all the security stuff is good, the Container returns the HTML, if not it returns another HTTP 401...