Ok, so as you said - you can use transport-guarantee which will force to use something to make sure the transport is confidential (like SSL), so... if this is achievable, why it's still not widely used?
Well, authentication from client to server is no big deal, it just involves sending a username and password over a (secure) line. You can easily program that part of your web-application yourself.
And if the form-login-config isn't used, maybe just the container managed credentials mechanism is? If i'm not using the container authentication, can I still use container authorization (security-auth, auth-constraints, etc.)?
Yes, you can by using the <secure-role-ref> element of the web.xml. You bind the programmatic roles (the ones you use in a Servlet) to the declarative role (the ones you define in a <security-role>). However
you should always ask yourself if programmatic security adds something extra to the declarative security.
Like this: I would like the container to be aware of company LDAP. I also want to use LDAP roles and usernames in web.xml, i.e. to prevent some users from accessing particular servlets, but because of the application requirements I cannot use form-login-config. Is it still possible?
Watch out: binding users to roles is note done in the web.xml. You only define the roles that are used in the web-application. The user-to-role binding is something server specific. Even with
tomcat you can connect to a LDAP server for authentication (user to role mapping).
Regards,
Frits