How do I assign the user's role without using a login form?

Alessandro A. Garbagnati


Chapter 11 of the Servlet 2.2 specification is entirely related to Security. Basically the concept is that you can use the standard http authentication schemes (i.e.: basic, digest). This means that you can authenticate a user among a database (or, for example, another source) without developing html login forms.

For Tomcat 3.2.x there is an interesting example of a JDBC Realm.

For additional info, I strongly suggest to read Chapter 11 (Security) and Chapter 13 (Deployment Descriptor) of the Servlet 2.2 specifications that you can download from Sun.

[In Servlet 2.3 spec, the Security chapter is now 12.

Also - There's no way to programmatically set the user (e.g. request.setRemoteUser), but if you need to, you can just use a session variable to let yourself know that this user is "ok."