Well, subclassing FormAuthenticator would be a hack, a Tomcat-only-solution and inho a bad one.
therefore, take a look at JAASRealm and try to combine it with your existing login-procedure, meaning - Implement a JAASRealm - get the credentials from there (user, password) - do the JAAS-Authentication via Tomcat - if ok, call your stored procedure - if that returns ok, fine, otherwise invalidate the Session and react accordingly That's just a rough schema, but it's a start to give you one or two thoughts. BTW.m JAAS is not Tomcat-specific since JAAS is a Java-API which all servlet-containers implement (at least all the important ones, afaik): http://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service hth gregor -- what's puzzlin' you, is the nature of my game gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]