i just did a similar implementation of this the other day - it works quite well.
one other thing to note is that if you choose to go the valve route, you will need to deploy those classes in the "lib" directory or else tomcat will throw ClassNotFound exceptions upon startup.
As of 3_2_6_RC1 one can sepecify valves as the web deployment layer using a WEB-INF/context.xml. In such a deployment the valves should be seen from the deployment archive, but I have not tried this.
I think a Valve is more a Tomcat specific thing and it is only a internal tomcat implementation, were as a Filter should be supported by all servlet containers according to the servlet specifications.
What do you say, am i right.
Yes, and as such, a filter has limited ability to control deep behavior of the container. In particular a filter has no ability to affect the declarative security model since it runs after the security checks.
Thanks, everyone, for the replys. I like the valve, so will stick with it for the time being and try to use the context.xml.
how can i use this security valve in jboss 3.2.5?
which files must be changed?