Hi, I m stucked in a security authentication/authorization issue, which I hope you have some advice for me.
In simple words, I want to use the Web container security (for authorization) together with my own JAAS implementation (for authentication). How to achieve this ? I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I want to by pass these and hit my JAAS login model. The reason is that we collect user information in different way, by an exchange with the user in a front filter. I cant get this to work, even though that I have configured my loginmodule, user, role and configured the JAASRealm in Tomcat, This is how I want to do it (in theory). 1. User enters a URL (e.g. /mycontext/cars/), 2. The SecFilter gets triggered, which ends by exchanging user information, 3. The MyLoginModule gets called with user information 4. User is been looked up and get assigned a User/Role Principals. 5. Login is OK 6. Now the web container security can take place and checks in web.xml if this user is-in-role to call /cars url. I've searched the entire web but could not see any good article about this. Am I the only one who wants to by-pass the auth-methods but still can provide good authentication and "standard" web-authorization. (I've seen some work-around such as: http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but this is a work-around, which I dont like). Please advice, Thank you for reading, and sorry for the long email.
