One more thing that I forgot to ask and wanted to clarify...
I'm a little confused about the way encoded authentication credentials get passed to the web server with every HTTP request when I look at the headers for BASIC authentication. Are those credentials actually needed by the servlet container for every request or is it just because it's part of the HTTP spec? I've (briefly) skimmed most of the related source code, but I didn't take note of how the container avoids re-authenticating on every request. What gets cached?
I guess the real question I have is, once I've authenticated a user, is there a preferred way of indicating to the container that a user is already authenticated (a token, cookie, session id, auth credentials?)?
[Message sent by forum member 'jptech' (ryan_at_jptech.ca)]
http://forums.java.net/jive/thread.jspa?messageID=385868