Hi All, The current JAAS based authentication in Tomcat (6.0.2) , has no means of manipulating the associated credentials. This prevents an application from specifying more complex security policies. For example, timing out the roles independent of the session timeout.
A very simple fix would be to make the subject object accessible from the session object. Once could then, for example, use a valve to enforce custom security policies. Though not part of servlet specification (from what I can tell), are there any strong reasons for not supporting this feature. Thanks much, Shivaraj
