Hi all,

We would really like to receive some advice on our current issue. We
tried to solve it in some ways but we still have issues.

We have an application that uses JAAS to authenticate users on our web
app and EJB beans. Users can enter both trough basic authentication
(always passed from the client, no popup needed) and through an
'alien' sessionID in the request that is checked against a self-written API
that can return a principal username for a sessionID. When a user uses
the sessionID, no BASIC authentication should be done.

We've implemented this using a LoginModule to authenticate users who
enter with BASIC authentication, and a Valve to 'authenticate' users
before any BASIC authentication is done (so effectively bypassing it).

This seems to work for the webapp (tomcat), that seems to pick up
the principal set by the valve just fine. The EJB beans however, do not
'like' this; they cannot detect that a principal has been set.

The principal-set routine in the valve looks like this (code snippet):

((HttpRequest) request).setUserPrincipal(principal);
 if (principal != null)
 ((HttpRequest) request).setAuthorization(principal.getName());
 else
 ((HttpRequest) request).setAuthorization(null);

My question(s) are:

- Is the Valve-way the way to go, or should the session-authenticate be
moved towards a loginmodule?
- If the latter is the case, how can we 'disable' the BASIC authentication
popup whilst keeping BASIC authentication validation?
- How should we implement the principal-set routine (code above) to
propagate the principal when choosing for the all-valve way? Obviously
we're doing something wrong.
- Any other alternatives?

Any help/hints would be great!

thanks in Advance

Maarten