You got it: Authenticator is called before Filter. If you want to get in before the Authenticator is called, then you need to use the (Tomcat-specific, and totally non-portable) Valve.
"Oliver Wulff" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] I wrote a custom HttpServletRequestWrapper and a filter. I've overriden the method getUserPrincipal() and isUserInRole(). The second one just returns true back (for test purposes). Now, I have a problem if I define a <security-constraint> in the web.xml. I get the following error if I try to access a secured servlet (filter is activ): Configuration error: Cannot perform access control without an authenticated principal I guess I have to write a custom realm for authorization purposes (which roles the user belongs to). But Tomcat has to authenticate the user which is already authenticated by Apache. The returned principal by getUserPrincipal() is the authenticated user. Is the authenticator called before the filter? Hope you can help me... ******************* BITTE BEACHTEN ******************* Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet möglicherweise vertrauliche oder gesetzlich geschützte Daten oder Informationen. Zum Empfang derselben ist (sind) ausschliesslich die genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter Ausschluss jeder Reproduktion zu zerstören und die absendende Person umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe. = --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]