In this case - I would not use a realm. I would use a few filters.
1) One that checks for the WWW-Authenticate headers to ensure you are logged in and sets request.getRemoteUser() and override request.isUserInRole() accordingly (via a HttpServletRequestWrapper). If not logged in - it will return a 40? response header requesting authentication 2) An authorization filter - Now that the user is loged in - can they perform the given action. This would do the equivalent of your realm functionality.
Using security constraints as stated in the servlet specs might not be accomodating to your requirements below.
-Tim Johan Haleby wrote:
Hi! I've implemented a simple custom realm that I use in Tomcat 5.0.28. But instead of doing the authentication in the authenticate method in my realm I'd like the actual authentication to be conducted by a another servlet that takes username and password as parameters. So basically what I'd like to do is to just to pass the username and password entered by the user when the "login popup window" (http basic authentication) pops up to the authentication servlet by redirecting the user to that URL with those parameters. My realm should always accept the username/password since the actual authentication takes place somewhere else. Is this possible, and in that case where do I start? Thanks in advance, Johan
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
