Kristian, > However, following this approach I cannot use container-based > authentication as the DBMS user management repository is not easily > accessible via such a configuration but there are Java classes to > authenticate the user using an API which to be called from another Java > class, a servlet, ...
One option is to create your own Realm implementation and use that for authentication. I think you can pretty much use any authentication mechanism that you want (including the existing Java classes you mention that are available). It's a relatively simple interface that you have to implement that basically takes a username and password and returns a Principal object. You'll have to install your new class into Tomcat (i.e. it can't just go into WEB-INF/classes) because Tomcat needs direct access to that class before your webapp is initialized. If this solution doesn't seem to meet your needs, you can try looking at the securityfilter project (http://securityfilter.sourceforge.net/). I have used this filter for doing authentication and authorization. It can be used as a drop-in replacement for Tomcat's built-in authentication, and you can configure your own authenticator that does anything it wants. For example, I created an authenticator that logs failed logins as well as recording the IP address of the offending remote host. This last part is not possible (that I know of) using the Tomcat Realm strategy. -chris
signature.asc
Description: OpenPGP digital signature