Secure web applications may have authentication and authorization properties. The web container supports three types of authentication: basic, certificate, and form-based. The core ACLs support basic, certificate, and digest. For more information about ACL configuration, see the Sun Java System Web Server 7.0 Update 4 Administrator’s Guide.
When a browser requests an application URL that requires authentication, the web container collects the user authentication information, for example, user name and password and passes it to the security service for authentication.
For Java EE web applications, Web Server checks the application's web.xml file for information on which parts of the application are protected, and which roles are authorized to access. It also checks sun-web.xml to see whether the currently authenticated user belongs to one of the required roles, either directly through user mapping or indirectly through group mapping.