In the sample application, each expense report has an owner; the actions a user can perform on a specific report depends on whether she owns it, and whether she's a manager or a regular employee. To implement these requirements, we need a way to identify application users and tell what type of user they are.
A process referred to as authentication identifies users. To access the application, the user has to provide personal information that only a real, registered user would know. The application authenticates the information, e.g., by comparing it to information in a registry of known users. If the information is authentic, the application recognizes the user as a specific person. Once the application knows who the user is, it can use this knowledge to decide what the person is allowed to do (also known as authorization).
A Java web container typically supports four methods of authentication, described in the servlet specification: HTTP basic authentication, HTTP digest authentication, HTTPS client authentication, and form-based authentication.
HTTP basic authentication is a simple and not very secure authentication scheme that I'm sure you've encountered. When a browser requests access to a protected resource, the server sends back a response asking for the user's credentials (username and password). The browser prompts the user for this information and sends the same request again, but this time with the credentials in ...