I'm wondering how I can create/configure multi-level login on an application. What I mean by that is when someone comes to our site, A cookie is looked for and authenticated against for general use of our site. Then once they click on a more confidential section like modifying their profile or purchasing a product on their account then they would be prompted for a password.
I've been thinking of this for quite a while now and I have a few ideas. My first Idea is to have 2 login modules. One that authenticates the cookie and one that authenticates the password. Each one would set different access roles. The problem I have with that is that is I don't know what needs to be developed and how to configure it.
My second idea was to create a new Valve on the tomcat layer that catches every request and then filters them as they are passing through. I'm not sure what I would need to develop here either so I'm not sure what is the best solution.
Does anyone have some Ideas, solutions, suggestions on how I can go about doing something like this?