They are authentication methods.
Authentication is the container checking that you are who you calim to be - ie "enter a password or go away"
Authorisation is the container saying "OK I know who you are - i'm going to check that you are allowed to use this servlet/web-page/resource"
So in your web.xml you define the authentication method - BASIC, DIGEST, FORM or CLIENT-CERT which tells the container what to prompt you with for you to enter a password - ie basic 64bit encryption logon, 124bit encryption, Custom login form, or Client Certificate.
Then you define Web-resource-collections which define collections of URLs. You specify the ROLES which are allowed to use the collections (ie Authorised) then at deployment time
you map these roles to actual users/groups in the OS or LDAP.
The 1st time you attempt to use a secured resource (ie one whose URL falls into one of the web-resource-collections) the container will check to see if you have been AUTHENTICATED - eg if you're using LDAP it will check to see if you have an LDAP cookie. If not it will intercept the request and redirect it to the login method specified - eg custom form. Then after you have successfully logged in the container will check that your user profile is in a role which is AUTHORISED to use the requested resource.
You therefore cant be authorised to use a secured resource until the container has first authenticated your ass!
hope that helps
Join the world�s largest e-mail service with MSN Hotmail. Click Here
___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
