A realm is in a sense, some protected area/space in the server. The realm should have a name. If we run the example from this post, using cURL(which I recommend downloading, as it's useful in development), without any user credentials, we will see the following.
C:>curl -i http://localhost:8080/simple
HTTP/1.1 401 Unauthorized
Date: Thu, 11 Dec 2014 18:55:02 GMT
WWW-Authenticate: Basic realm="Basic Example Realm"
Content-Type: text/plain
Transfer-Encoding: chunked
Credentials are required to access this resource.
This is how the Basic Auth Protocol works. When the server want the user agent to authenticate, to access a secured resource, it will send back a "401 Unauthorized", along with the header similar to
WWW-Authenticate: Basic realm="Basic Example Realm"
The name you provide to the BasicAuthProvider
is the realm
that will be provided in the header. You can see in the source code
if (required) {
final String challenge = String.format(CHALLENGE_FORMAT, realm);
throw new WebApplicationException(
Response.status(Response.Status.UNAUTHORIZED)
.header(HttpHeaders.WWW_AUTHENTICATE, challenge)
.entity("Credentials are required to access this resource.")
.type(MediaType.TEXT_PLAIN_TYPE)
.build());
Now try to access the resource from the browser. You will see
You can also see the realm name there. The RFC 2617 just states (about the realm
):
realm:
A string to be displayed to users so they know which username and
password to use. This string should contain at least the name of
the host performing the authentication and might additionally
indicate the collection of users who might have access. An example
might be "[email protected]".
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…