I am using Tomcat as the servlet container. What I want to do is write a servlet which do HTTP authentication without Tomcat's interacting. Is it possible? In detail, to enable HTTP authentication (basic realm), you should configure the web.xml in your webapp, and configure the username/password/roll in %TOMCAT_HOME%/conf/tomcat-user.xml. But I want to use my ACL in my servlet, so I would process any of user requests myself, and determine whether it need authentication, then return a challenge response to client, and so on. A typical scenario is: client: send a GET /myapp/abc.xml HTTP/1.1 , here myapp is my webapp, and abc.xml is retrieved by servlet from some data source where authentication is needed. servlet: find no Authorization header is available, so return a HTTP 401 response to challenge client for username/password client: send the GET request again with Authorization header servlet: try to access the data source, but the username/password have no right to access the abc.xml. so it return a HTTP 401 again client: send the GET with correct username/password servlet: get the abc.xml and return to client.
--zhidong -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
