I have made up a constrained resource in my web-app. When I enter the URL to this resource for the first time, the login window appears and after succesful login the page is being rendered in the browser. Now I enter the same URL a second time and the login window doesn't pop up anymore, which is reasonable. (Authentication happens only once).
How will the container know that the second request is from the same user as the first one? Using Session-tracking I first thought. But after disabling cookies in my firefox browser the behaviour doesn't change!
i think to container look at "www-authenticate" header to provide security checks...
it keeps some attribute in the session? because the fact of owning a jsessionid is not to say that the user has access to any resource, right?
Rafael L Santos
Sun Certified Java Programmer
Sun Certified Web Component Developer
Liar, liar, pants on fire! refreshing plug:
Devious Experiments for a Truly Passive Greenhouse!