How to Authenticate in HTTP World: the beginning of a secure transaction
Let’s start with a look at the communications that occur between a browser and a web container when the client asks for a secure resource on the web site. It’s BASIC, really.
The HTTP perspective...

1 The browser makes a request for a web resource, “update.jsp”.
2 The server determines that “update.jsp” is a constrained resource.
3 The container sends back an HTTP 401 (“Unauthorized”), with a www-authenticate header and realm information.

4 The browser gets the 401, and, based on the Realm info, asks the user for his username and password.
5 The browser asks for “update.jsp” again (stateless, remember), but this time the request includes a security HTTP header, and a username and password.
6 The Container verifies that the username and password match, and if they do, performs authorization.
7 If all the security stuff is good, the Container returns the HTML, if not it returns another HTTP 401...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access