I have an issue with finding a proper custom authentication mechanism with Tomcat (6.x). Currently I have a Tomcat 6.0.20 setup with the standard org.apache.catalina.realm.JAASRealm.
The http-header is populated on an outside authentication server so the user is considered already authenticated when he reaches Tomcat. I have my own callback handler class which takes the name of the user and a list of roles of the user from the incoming http-header and populates the subject structure with a UserPrincipal and some RolePrincipal:s, this works fine. My goal is to use declarative authorization JAAS in Tomcat. But I am looking for how to get the Tomcat to understand that the authentication mechanism is not to open a userid/pwd-box (using login-config as BASIC etc.) but instead to simply accept what is coming in the header as populated in the subject structure. My LoginModule I can itself have to accept the subject structure, but something is missing as I don't know how to work around the login-config as BASIC etc. etc. I may not be on the correct track, but my research goes to NonLoginAuthenticator, which extends the same class AuthenticatorBase as BasicAuthenticator, DigestAuthenticator, and FormAuthenticator. But I cannot find the 'hook' how to use NonLoginAuthenticator instead, if I am on the correct track... Johan
