I am using JBoss 2.4.3-Tomcat 3.2.3.

I have written a RequestInterceptor and added it to my Tomcat server.xml file as such:

Here is teh relevant info from the web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login.html</form-error-page>
</form-login-config>
</login-config>
<!--
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Admin</realm-name>
</login-config>
-->

I have tried it with both login types, and get the same error. Here are the two relevant methods in my interceptor:
public int authenticate(Request request, Response response) {
/* Get the username credentials from the request. We dont check
that they are null as the security domain may consider this
a valid indication of an unauthenticated user requesting
anonymous access.
*/
log.debug("AuthType"+ request.getAuthType());
Enumeration headers = request.getHeaderNames();
while (headers.hasMoreElements()) {
String name = (String) headers.nextElement();
String value = request.getHeader(name);
log.debug("header: " + name + ","+value);
}
Hashtable credentialMap = new Hashtable();
SecurityTools.credentials(request, credentialMap);
String username = (String) credentialMap.get("username");
String password = (String) credentialMap.get("password");
log.debug("username = " + username);
log.debug("password = " + password);
SimplePrincipal principal = new SimplePrincipal(username);
if (username.equals("moatas") && password.equals("moatas")) {
org.apache.tomcat.core.Context ctx = request.getContext();
request.setAuthType(ctx.getAuthMethod());
request.setRemoteUser(username);
request.setUserPrincipal(principal);
}
return 0;

}

public int authorize(Request request, Response response, String roles[]) {
if (roles == null || roles.length == 0) {
// request doesn't need authentication
return 0;
}

String username = request.getRemoteUser();
if (username == null)
return 401;

int code = 0;
//let's assume that we are not needing roles just yet.
return code;
}

here is the stack trace:
java.lang.NullPointerException
at com.genscape.prototype.security.GenscapeSecurityManagerRealm.authenticate(GenscapeSecurityManagerRealm.java:43)
at org.apache.tomcat.core.ContextManager.doAuthenticate(ContextManager.java:852)
at org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341)
at com.genscape.prototype.security.GenscapeSecurityManagerRealm.authorize(GenscapeSecurityManagerRealm.java:59)
at org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java:870)
at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:804)
at org.apache.tomcat.core.ContextManager.service(ContextManager.java:758)
at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConnectionHandler.java:213)
at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:501)
at java.lang.Thread.run(Unknown Source)

The nullpointer is trying to call equals on the username, as it is null. AuthType is also null.

Is this the proper way to add custom login functionality to tomcat? I don't need any interaction with a security manager in JBoss(yet). We are only using JMX to deploy all our services in one VM.

Jim