Remy/Mladen, I propose the following method addition to the Realm interface for Tomcat 6. This would take care of the needs for header based authentication (which may include some form of SSO/Identity Management usecases) and JSR-196 (Java Authentication Container SPI) needs. | public Principal authenticate(Request request, Response response, | LoginConfig loginConfig) throws Exception; | The current limitation with the Realm interface is the loss of the request object during authentication. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962889#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...