It's Tomcat-specific (and, so, non-portable to other servlet containers), but yes, Valves are called before Authenticators.
"Ralph Einfeldt" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] >From the code in catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal(); if (principal != null) { if (debug >= 1) log("Already authenticated '" + principal.getName() + "'"); return (true); } it looks like you shouldn't need a Realm if getUserPrincipal() returns a Principal. The problem is that the security contrains are evaluated before the filter. So I guess that you may have to implement that what you want to achive with the constraints on your own. (Or you have to configure apache to do it, and this way omit the constraints from tomcat.) One tomcat specific way to come around that may be a Valve. (It is called before any filter, but I don't know if it is called before the evaluation of the constraints) > -----Original Message----- > From: Oliver Wulff [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2003 11:51 PM > To: Tomcat Users List > Subject: Antwort: RE: Antwort: RE: Antwort: RE: user principal, realm > > > I wrote a custom HttpServletRequestWrapper and a filter. I've > overriden the method getUserPrincipal() and isUserInRole(). The second one > just returns > true back (for test purposes). > Now, I have a problem if I define a <security-constraint> in > the web.xml. I > get the following error if I try to access a secured servlet > (filter is > activ): > Configuration error: Cannot perform access control without an > authenticated > principal > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]