web.xml snippet followed by headers seen when trying to log in: DIGEST http://localhost:8080/LearnSecurity2/ GET /LearnSecurity2/ HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive HTTP/1.1 200 OK X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2 Java/Oracle Corporation/1.7), JSF/2.0 Server: GlassFish Server Open Source Edition 3.1.2 Content-Type: text/html;charset=UTF-8 Content-Length: 466 Date: Tue, 03 Apr 2012 20:44:02 GMT ---------------------------------------------------------- http://localhost:8080/LearnSecurity2/faces/protected/welcome.xhtml GET /LearnSecurity2/faces/protected/welcome.xhtml HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: http://localhost:8080/LearnSecurity2/ HTTP/1.1 401 Unauthorized X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2 Java/Oracle Corporation/1.7) Server: GlassFish Server Open Source Edition 3.1.2 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 19:00:00 EST WWW-Authenticate: Digest realm="testCustomJdbcRealm", qop="auth", nonce="1333485857705:9e2d864c4030c3c72db9fa67317a0813df532fe4c4a29345d990a327dd84e6de", opaque="52AEF012F686B575683ED7DC8571B22F" Content-Type: text/html Content-Length: 1069 Date: Tue, 03 Apr 2012 20:44:17 GMT ----------------------------------------------------------