Could someone please explain me how security is implemented ? What I mean is this scenario:
1) Someone access restricted resources so .... 2) a login screen pops up asking for username and password 3) a user provides valid data and ... 4) finally can see the restricted resources 5) then clicks somewhere else to some not restricted resources 6) then goes back to the same restricted resources 7) and ..... he doesn't have to provide any username and password !
That's what confuses me ... How can a container know that it is the same person ? Does the client (browser) add additional header with username and password to every request made after the first login no matter which authentication method was used ? (BASIC, DIGEST, etc....) ?
It depends on what kind of authentication is used. If it's BASIC, then it's the browser that remembers the credentials, and will send them in the HTTP headers for each subsequent access to that web site.
If you're using FORM, then there's most often a cookie involved, which will also be sent as an HTTP header with each access, until you log out.
What opportunities are there to restrict access to some web resources: directories with images, css and so... for users that are not logged? If login is implemented in servlets and jsp... Is filter in web.xml good for this purpose??? or what solution is better??? What solutions are good??? Thanks.