(Note: We've changed topic now)
Form-based authentication is very similar to basic authentication, except that you define the page that collects the username and password rather than relying on the browser.
In BASIC the server returns "
WWW-Authenticate: Basic realm="Default"" in the response header when user tries to access a protected resource. The browser then pops up the familiar window requesting username and password for the specified realm. These are then sent back to the server in a new request for the resource with "
Authorization: Basic TXJQb2ludHlIYWlyOk1yUG9pbnR5SGFpcg==" or similar, where the encrypted
string is is simply a Base64 encoding of "username:password". The server then decides whether to allow access or not.
With FORM-based authentication, when user tries to access a protected resource, the server goes to the login page specified in the deployment descriptor. The server can then use the username/password to authenticate the user.
The chapter in Jason Hunter's book has a good description, and there are examples online:
http://www.servlets.com/jservlet2/examples/ch08/index.html [This message has been edited by Tim Duncan (edited October 30, 2001).]