I was just wondering about the scheme used for HTTP Authorization in JBoss when <auth-method> is set to "BASIC" in web.xml...does it follow a challenge/response pattern, or will the server bypass issuing the challenge if the first request already contains an Authorization header with the proper credentials?