To bypass the container's authorization mechanism, you could define a property assign-groups to point to a specific group name(say ANYONE), create a role by that groupname and map the role to that group, or enable Default Prinicipal to Role Mapping. This way, all the authenticated users would be authorized.
Now to do custom authorization, you could obtain the principal using HttpServletRequest.getUserPrincipal()
HTH
Nithya
[Message sent by forum member 'nitkal' (nitkal)]
http://forums.java.net/jive/thread.jspa?messageID=339759