Hi Craig,
Thanks a lot for the answer. I have a few follow up questions though.
> >
> > 1. Modify the realm programatically, that is add users, remove users,
add
> > roles, etc.
>
> This one is easy ... simply update the database. For example, adding a
new row
> in the users table makes that user instantly able to log in.
Sun defines methods like addUser and addRole to the Realm class they
implement for the J2EE petstore application. I though that the Tomcat Realm
class was similar to that one but looking at the source code I can see that
those methods do not exist. They do exist in the SimpleRealm sample file.
>
> You can do these updates either through a web-based administration
application
> that you might right, or through external applications or SQL scripts.
>
> >
> > 2. Tell tomcat that user x should be logged into the application. I
would
> > like to automatically log some users based on a cookie.
> >
>
> This one is not easy ... you would need to modify Tomcat to make it
possible.
>
I was looking into the source code and the file SecurityTools checks for
user and password reading two attributes from the session: j_username and
j_password. The comments in the source code say:
"It is possible for a servlet to set the attibutes and bypass the security
checking - but that's ok, since everything happens inside a web application
and all servlets are in the same domain". I have not tried it yet though.
Regards
Hector
