Hi Craig, Thanks for your comments again.
> You're right ... there is nothing there to do this. The original > design was based on the idea that Realm simply encapsulates a > service that authenticates a user, given a username and some > credentials. In addition, it needs to work even when HTTP sessions > are not in use (for example, for BASIC authentication). > > One strategy for dealing with this might be to register a session > event listener and registers your session in the sessionCreated() > event handler. I like the realm and general design in TC4, it's much better and cleaner than 3.2. However, I think there is something missing in the realm interface authenticate methods, particulary for form login:- If you modify a login form to include a field other than j_username and j_password so the user can select some kind of 'post login preferences' it is not possible to get this extra field to the realm. We use JAAS for authentication. JAAS allows and one of the login modules authenticates against our EJB user repository and loads user preferences (groups/roles etc) and one feature the user can select is their preferred role set for the session. I don't think the event listener will work for our use, following login, so it seems the following is how I can achieve what I want. Replace the org.apache.catalina.authenticator.FormAuthenticator with my own FormAuthenticator class by modifying the Authenticators.properties and extend the realm interface to pass either a map of http request parameters, or in fact the http request itself. My realm can do what it wants. What about passing the Request object as a parameter to the Realm interface authenticate() methods for 4.1 release. And how about having only a JAAS realm in standard tomcat and just provide different login modules for jdbc/jndi/other access. JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for Tomcat 4? BTW, I saw you offered your BOF slides to someone, are they available? Rgds Antony