> 2 - Apache delegates the servlet to make the authentication. This would be
> the very best solution, but I suppose it is impossible (could an Apache
> module implement this feature?)
> You can do this! Turn off authentication in Apache and implement it in
> your Servlet.
It's not what I want to do. I can authenticate the user by servlet but it
means that I do security administration only throw servlet session. In other
words, all the protected parts of the site should pass throw servlet, and it
is too much expensive (i.e. what about static html pages? Should they be
parsed by a servlet instead of quickly delivered by Apache?).
