This is why it is rare to write a custom Authenticator. More often you write a custom Realm to do this sort of thing. You only need an Authenticator if you have some non-standard way of extracting the user credentials from the Request.
The problem with the code below is that it doesn't call request.setUserPrincipal(Principal) when you successfully authenticate, and doesn't call response.sendError() when it fails. These two steps are required by the Authenticator contract (see the comments in the invoke method of AuthenticatorBase). This is why you are getting the 403 error. After your Authentictor's authenticate method returns true, Authenticator base passes the request off to the hasResourcePermission method of RealmBase (in o.a.c.realm). This will use the Principal in the Request to determine what roles the user has, and since in your case it is null, Tomcat decides she has no roles. The easiest way to fix your code is to create a GenericPrincipal (also in o.a.c.realm), and set it as the Request's Principal on success. This can optionally wrap a custom Principal, which is what the webapp will see when it calls request.getUserPrincipal(). You should use the register method of AuthenticatorBase to do this if you want to support SSO. Otherwise, you only need to call request.setAuthType and request.setUserPrincipal. "Mehmood, Qaiser" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Hi, I need help to write my own custom Authenticator. I wrote my own Authenticator and it's very simple and following is the code: public class SampleAuthenticator extends AuthenticatorBase { public boolean authenticate(Request request,Response response,LoginConfig config) throws java.io.IOException{ // if authenticated against LDAP return true otherwise return false If(authenticated() == true) { return true; } else { return false; } } } This Authenticated method is check with LDAP and put Admin in subject. Is there any thing else I need to do in my custom authenticator? But when I am executing this request, I am getting error "HTTP Status 403 - Access to the requested resource has been denied". My web.xml configuration is : <security-constraint> <web-resource-collection> <web-resource-name>Test</web-resource-name> <description>Test </description> <url-pattern>/protected/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>MyAuth</auth-method> <realm-name>sampleTest</realm-name> </login-config> Thanks, Qaiser Mehmood Work (512) 248-4269 Cell (571) 438-8639 --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]