if security mechanism is concerned simply with authentication(A) and authorization(A), the scenarioes below demostrate how the basics work.
- client access to "hello.jsp" is required to be AAed
- hello.jsp is located under web app root "myapp"
- Tomcat has created a few default user-password-role mapping, we'll use the one "tomcat-tomcat-tomcat"
1. client requesting http://localhost/myapp/hello.jsp
2. server asking for authentication
3. client popping up authentication window
4. user typing "tomcat", "tomcat"
5. client requesting http://localhost/myapp/hello.jsp
with encoded authentication info
6. server verifying and authorizing the access
7. "hello tomcat" returning to client
web.xml config-2: use "*" for permitting all roles