Could anyone please tell me why the following paragraph is incorrect:
If your deployment descriptor correctly declares an authentication type of BASIC, the container automatically requests a user name and password whenever a user starts a new session.
Because container would only request (as in "send an authentication challenge to browser") user name / password when user attempts to access a protected resource (as defined in descriptor); not when user session is created.
Details are in JavaEE tutorial
