Christopher, 2007/10/10, Christopher Schultz <[EMAIL PROTECTED]>:
> Tomcat's built-in A&A requires that an unauthenticated user request a > protected resource (protected by a <security-constraint>). When this > happens, Tomcat intercepts the request internally and issues the > appropriate login request (HTTP AUTH, FORM, etc.). Upon successful > authentication, Tomcat re-processes the original request. > > Tomcat authorization is done separately, though probably by the same > component (Valve). [...] > > Don't worry: authentication is really easy. Authorization isn't that > bad, either, especially since you will probably only have a single > servlet that needs protecting. The problem with these things is usually > making sure you didn't miss anything (like leaving a swath of URIs > unprotected). > > Feel free to look at Tomcat's Realm implementations for coding > inspiration. So implementing internal server component (probably valve) is the only solution, right? And is this container independent solution? Thanks, S. Vadishev.