BASIC authentication is well supported on web browsers, but it is not session based and there is no simple way to implement "logout". However it is great for program clients (like servlets).
Form authentication looks fancier, is based on sessions, therefore a "logout" is simply a Session.invalidate(), but it is not easy for program clients to handle.
Suppose some wants to write a simple servlet that "mails" another URL to the client.
One way to do so is to use javax.activation.URLDataSource. However, because it works as a plain HTTP Conversation with the server (that is with itself!!), there is no way to bypass the securitiy issues invlolved.