Hum, need to define Authorization and Authentication.
Authentication establishes Who you are.
Authorization establishes What you can do.
Any container can do Authentication using Realms and HTTP Authentication headers. And I guess minor Authorization to a specific area. However, if you have any type of complex Authorization (User can do A but not B) within that specific area, you have to handle that your self.
If you want to establish the Authentication Headers yourself, it's relatively simple. Any thing you want to protect, you first see if the Request Header "Authorization" is set. The type will tell you how this is encoded. The value of the header is <TYPE> <Encoded Value of username
assword> BASIC uses Base64 Encoding. If the header is set, you need to check against the User and Password against the persistance you are using (If you are using Memory Realm, this is quite difficult. Memory Realm uses an XML file in the Servers Config directory which is difficult to get to). If you are using the
JDBC Realm, you can read and compare the info from the tables.
If the user is authorized, you don't need to do anything else. If the user isn't, you need to set the response header "WWW-Authenticate" the value of this is the Realm name you give in your web.xml to be protected.
That's about it to work with Tomcat's Autherization mechanism.
To do finer grain Authorization, you establish Roles which are permitted so, if anyone logged in can do A. Nothing more is needed. To do B however, you establish a Role such as Admin and assign users who are allowed, that role. Then prior to any where B is performed you check request.isUserInRole(
String rileName).