In tomcat, "Realm" has such a definition: A Realm is a "database" of usernames and passwords that identify valid users of a web application (or set of web applications), plus an enumeration of the list of roles associated with each valid user. This is exactly a UserManager should do.
I guess the reason why we use "Realm" here is that at the beginning of the web, Realm is used to contain authorization & authentication together just like the MemoryRealm in Tomcat. With time, other things were removed from Realm gradually. Actuall, realm should be a group of resources & the action can be performed on it. Users will be prompted by such information: In order to allow you to access the realm: xxxxx, please provide us your identity. User can choose to provide certificate or username & password pair whatever is right. At the beginning of web, only username & password is used. Apache is still using the "Realm" in its right meaning: Realms: Areas of Controlled Access In terms of voluntary control mechanisms on the Web, each protected area, whether it be a single document or an entire server, is called a realm. When a server challenges a client for credentials, it provides the name of the realm so the client can figure out which credentials to send. Realm should return to its true meaning: a group of resources, like SecurityConstraint in tomcat. We need to seperate UserManager from Realm. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]