Have an enum on the auth method (Authmethod.FORM, AuthMethod.DIGEST,
AuthMethod.BASIC, AuthMethod.JASPI) (The web.xml login-method is just a
string) and then use the addFirstAuthenticationMechanism() or
setAuthenticationMechanism api to install this adhoc low demand jaspi
mechanism. Users should be able to provide arbitrary string to the API
+1 I've been following this discussion and have written authentication systems for JBoss, Tomcat, Weblogic, IIS, Apache, etc and having to constrain to one of a few pre-defined methods is beyond frustrating.