You just got an overview of how the Container handles authentication and authorization. But what was going on inside the Container that made all that happen? Let’s speculate a little on what was going on behind the scenes, deep down in the heart of the Container...
Things the Container did:
Performed a lookup on the resource being requested
We already know that the Container is really good at finding resources. But now, once it finds the resource, it has to determine whether it’s a resource that anyone can view, or whether the resource has security constraints. Does the servlet itself have some sort of security flag? Is there a table somewhere?
Performed some authentication
Once the Container determines that it’s dealing with a secured resource, it has to authenticate the client. In other words, to find out if “Bob” really is Bob. (The most common way is to see if Bob knows his own password.)
Performed some authorization
Once the Container determines that it is the real Bob asking for this resource, the Container has to see whether Bob is allowed access to that resource. Let’s see, if we have 2,000,000 users, and 100 servlets in our webapp, we could throw together a little table with 200,000,000 cells...
Whoa! This could get out of hand in a hurry if we’re not careful.