The first part of the answer explains how you could use the container's authentication mechanism and override the default authorization mechanism. If you have configured FileRealm and a few users for that realm, you could also add a property in the FileRealm (assign-groups=anyone).
Now, in your web.xml, you could have a security role defined as in:
<security-role>
<description/>
<role-name>anyrole</role-name>
</security-role>
and in sun-web.xml, map the role to the configured group as in:
<security-role-mapping>
<role-name>anyrole</role-name>
<group-name>anyone</group-name>
</security-role-mapping>
This way, all valid File realm users would access the application . And the custom authorization logic can be placed in the application.
Hope this clarifies
Nithya
[Message sent by forum member 'nitkal' (nitkal)]
http://forums.java.net/jive/thread.jspa?messageID=339768