Hello, We're currently using form-based authentication (i.e. <auth-method>FORM</auth-method>) but, as I suspect many people have found, it's rather limited. One requirement we have is enforced password changes in certain scenarios. Currently the approach we were thinking of using is as follows: a) the realm recognizes that the user has a mandatory password change flag set, and so gives them a degenerate set of roles; instead of their true role, they just have a MUST_CHANGE_PASSWORD role. b) a filter checks for the existance of this role, and if it's found, forces the user to go to our change password page. c) the password is changed and the user reauthenticated with their new credentials, to retrieve their full set of roles. It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. Our thinking is that we can resolve the inability to reauthenticate by creating a custom Authenticator; we could set some flag in the session to perform on-demand reauthentication, which would repopulate the list of roles, and everything would be hunky dory. Is this approach reasonable? How have other people tackled similar requirements? Is there any less contrived way of achieving what we want with the minimum of Tomcat-specific code? Peter
******************************************************************************* The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *******************************************************************************