This issue relates to the JIRA task:
http://jira.jboss.com/jira/browse/JBAS-2283

Overview:
Tomcat has authenticators for the http auth methods - form, basic,client-cert and digest. Each of these authenticators gather the required information to establish identity - username/password, certs, digest etc. And then this information is passed to a ream configured at the context level.

The methods that are relevant are from the realm interface:
http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/Realm.java

 public Principal authenticate(String username, String credentials);

 public Principal authenticate(String username, byte[] credentials);

 public Principal authenticate(String username, String digest,
 String nonce, String nc, String cnonce,
 String qop, String realm, String md5a2);

 public Principal authenticate(X509Certificate certs[]);

Issue 1:
As you see, for the custom header based authentication, the realm interface is inadequate. There is a need to extend this realm interface to consider the headers passed in the request for authentication and generation of a Principal.

So maybe interface methods:

 public Principal authenticate(Header[] headers)
 public Principal authenticate(Cookies[] cookies)

Issue 2:
The authenticators have to be beefed up to handle the extended Realm interface. So either we have custom authenticators or the tomcat base authenticators have to be beefed up to consider the extended realm interface.

Related JIRA issue:
http://jira.jboss.com/jira/browse/JBAS-2481

Thoughts - design feedback - pointers welcome.