Or you can create a custom realm that takes both bits of information.
For example, your realm can look at the user and password data as normal login information. Then, if that fails, it can use the username as your login token and decode that. If that works, then it can log them in, even without the password.
So your form login will work just like normal (pass in name and password), and your cookie login can call the programmatic API with the cookie value, and get the same result. Single realm, just overloaded a little bit. (You can always get the source for the JDBCRealm to tweak it, so it's not all from scratch...)
[Message sent by forum member 'whartung' (whartung)]
http://forums.java.net/jive/thread.jspa?messageID=262104