Those are different modes of authentication if you use HTTP authentication. Through the getUserPricipal, getAuthType and isUserInRole methods you can find out if and how a user has been authenticated. Basic means through the browser username/password dialog. Form means through a username/password web page. Digest sends the authentication info not in cleartext, but digested (i.e., kind of encrypted). (I'm, not actually sure if current browsers support this.) Client-Certificate means the user has sent a personal certificate; the strongest form of authentication.