With BASIC authentication the same thing applies: it is up to the servlet container to handle that
According to the specs (SRV.12.6 Server Tracking of Authentication Information)
As the underlying security identities (such as users and groups) to which roles are
mapped in a runtime environment are environment specific rather than application
specific, it is desirable to:
1. Make login mechanisms and policies a property of the environment the web
application is deployed in.
2. Be able to use the same authentication information to represent a principal to
all applications deployed in the same container, and
3. Require re-authentication of users only when a security policy domain boundary
has been crossed.
Therefore, a servlet container is required to track authentication information
at the container level (rather than at the web application level). This allows users
authenticated for one web application to access other resources managed by the
container permitted to the same security identity.
This makes it even possible to be authenticated for a number of web applications in the same JRE.