A browser sends a request for a protected resource. At this time the browser does not know that the resource is protected, so it sends a normal http request. For example GET/photos/samplePhoto.jpg /HTTP1.1
The server observes that the resource is protected, and so instead of sending the resource, it sends a 401 Unauthorized message back to the client. In the
message, it also includes a header that tells the browser that the Basic authentication is needed to access the resource. The header also specifies the context in
which the authentication would be valid.
Like:
HTTP/1.1 401 Unauthorized
Server:
Tomcat 5.0.25
www-Authenticate:Basic realm="privelegeUser"
content-length=1000
content-type=image/jpeg
....
.....
Upon receiving the above response, the browser opens a dialog box prompting for a username and password.
Once the user enters the username and password, the browser resends the request and passes the values in a header named Authorization:
GET/photos/samplePhoto.jpg /HTTP1.1
Authorization: Basic am9objpqamo= (this is Base64 encoded value of the username:password
string.)
Hope that clarifies. For more information please refer a book
.