This week's book giveaways are in the Refactoring and Agile forums.
We're giving away four copies each of Re-engineering Legacy Software and Docker in Action and have the authors on-line!
See this thread and this one for details.
Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic


Anup Om
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

When FORM based authentication is used, the container creates a session and it uses this session to track further requests for constrained URLs (and not ask for login information again).

But, when BASIC authentication is used, how does the container track requests for constrained resources?

Thanks for help in advance.
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Posts: 2275
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Anu,

With BASIC authentication the same thing applies: it is up to the servlet container to handle that

According to the specs (SRV.12.6 Server Tracking of Authentication Information)
As the underlying security identities (such as users and groups) to which roles are
mapped in a runtime environment are environment specific rather than application
specific, it is desirable to:
1. Make login mechanisms and policies a property of the environment the web
application is deployed in.
2. Be able to use the same authentication information to represent a principal to
all applications deployed in the same container, and
3. Require re-authentication of users only when a security policy domain boundary
has been crossed.
Therefore, a servlet container is required to track authentication information
at the container level (rather than at the web application level). This allows users
authenticated for one web application to access other resources managed by the
container permitted to the same security identity.

This makes it even possible to be authenticated for a number of web applications in the same JRE.

Consider Paul's rocket mass heater.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic