When server is configured as NCSA basic authentication,
and when user accesses to the server with IE, it pops up
a login dialog, after user provides the right login
credentials, the response page is sent back to browser.
If the response page contains a java applet tag with
codebase pointing to an archive file on the the same
server, jre 1.4.x will popup another login dialog,
user has to provide username/password again to dismiss it.
Sun suggests to check the remember
the username/password check box in the first NCSA
authentication dialog to avoid the second JVM dialog.
It works but we have security concerns:
The NCSA basic authentication is required by our
single sign on feature, which is applicatable to
customer facing application. User can access the
application from any machine and if the remember
username/password is checked, then anyone who accesses
that machine can also access the saved user account
for that application. This is definitely not an
accessible behavior. We would like to have a complete
solution to this problem.