Ram,
Server gets getRemoteUserName() from a header line of browser request (Authentification: action of browser-user). Server compares these values with some server-ressource if user is authorisized to access (Authorization).
None of these authentification methods is java-specific. Its HTTP or HTTPS. Form based authentification works - I think - with some tricks on the server. Many Web-Servers have a form-based authentification feature. Even LotusDomino.
The Request.getRemoteUserName() just encapsulates this information send by the browser in a convenien object-oriented way.
here is the sequence for
Basic Authentification:
- browser requests a protected ressource
- server responds with 401 (unauthorized) response to chalenge authentification of user
Part of 401 response is "WWW-Authenticate" header, such as WWW-Authenticate: Basic realm="MyRealm"
- Browser reacts by popping up dialog asking to input user name/password. Browser typically caches user-id and password in memory (lost when browser is closed) after the first prompt for a particular realm in a session. So user is not prompted again on subsequent requests.
- upon submission, browser takes these values and Base64 encodes Username:password
string and sends it to server along with an authorization header, for example Authorization: Basic WLAERJWRGFKLJS (its encrypted). HE SENDS HIS NAME.
- if username:password is valid for resource HTTP 200 code is returned along with the resource.
- For ressources below the requested path, the browser automatically sends the Authorization header without prompting the user (according to my concept of realm concept).
HTTP Digest Authentification Seems to functions quite similar, although not very good explained in JSP2.
Server sends random string (called nonce) to browser.
Browser sends authentification username-password as one way hash (MD-5) of username, password, URL, HTTP method. Server creates checksum.
Supported at the moment only in IE5.X. Support for mechanism is NOT mandatory for containers. Perhabs you will find more information on Microsoft sites, if u are interested (please post if you find any results).
Form based authentification you can deduce from Ashiks post. Quite the same.
HTTPS later.
Axel
[ January 21, 2002: Message edited by: Axel Janssen ]