If you are using BASIC auth (or DIGEST which is a little more secure) then it is the responsibility of your client to send auth headers with every request and the server will validate every request from scratch and populate the auth fields of the request. Browsers do this by default. but it sounds like you are not using a browser.
There are other methods such as FORM and OPENID that do an authentication conversation and leave the results in a session, so that all following requests in the same session are considered authenticated. Now by default FORM auth does use HTML pages to run a conversation, but ultimately it does not need those pages to do the auth, it just needs:
- one GET request to establish a session (could be for anything and could get a 401 response)
- a POST request to "/j_security_check" with parameters "j_username" and "j_password"
- all subsequent requests carrying the session cookie will then be authenticated.
Ultimately our authenticators and authentications are pluggable and you can do all sorts of stuff. It would not be hard to authenticate with BASIC, save that in a session and then all subsequent requests would be authenticated.
The login module is used by all of these auth methods to check the credentials - either for every request or once to put in the session. So it is orthogonal to the auth method used.
Finally, Webtide LLC is available for commercial services and we can implement a custom auth mechanism for you as part of that.... if none of the standard mechanisms works for you and you don 't want to customize yourself.
cheers