The server side BASIC authenticator valve will be called on every request, but in my tests, the valve detects the previous session, sets the caller id from the session, and checks if the caller is authorized to invoke the resource. IOW, It does not call the realm to validate the username and password, if a session has already been established (as the result of a prior successful login). The BASIC Auth www.authorization header is alwways sent in the request, but it is not processed if a session has already been established.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=299670