Digest authentication is just like basic authentication, except digest authentication uses encryption to protect passwords. In fact, digest authentication transmits a password's hash value, not the password itself.2
Figure 9-2 illustrates digest authentication with Tomcat. Notice the differences between the dialog in Figure 9-2, which declares this web site to be secure, and vs. the dialog in Figure 9-1, which does not.
Figure 9-2. Digest Authentication with Tomcat
Digest authentication is specified in an application's deployment descriptor, like this:
<login-config> <auth-method>DIGEST</auth-method> <realm-name>Digest Authentication Example</realm-name> </login-config> </web-app>
The only difference between basic and digest authentication is the specification of the authentication method, as listed above.
The digest authentication example discussed in this section works with Tomcat 4.0, but not with Tomcat 3.2.1.