Dear all,

I have passed the comments about the code from Chapter 15 on to the
chapter's author, and received the reply below.

Richard Huss
Technical Editor, Wrox Press Ltd

----
I was using either the very earliest of the beta 3.1 or 3.0. I 
was worried that this might happen (I thought I put a warning in the 
chapter). I was the first person to do anything like this with the 
Tomcat server, and worked with the core Tomcat team to come up 
with what I did. I thought for sure that it worked with 3.1 though. 
hmm.

Actually I started the discussion that led to removing the 
SecurityCheck class, but I haven't looked at 3.2 to see what might 
have replaced it. I'll put that on my to do list.

The old response on the tomcat users list was this:
1) use Apache to authenticate your users
2) use Turbine (java.apache.org) or a master servlet to authenticate 
users and then use the forward method to call your "real" servlet.