}
// Ask the sec-manager to authenticate, this won't alter the current subject
RealmSecurityManager sm = security.getSecurityManager();
try {
sm.authenticate(new UsernamePasswordToken(username, password));
}
catch (AuthenticationException e) {
log.trace("Authentication failed", e);
throw new WebApplicationException("Authentication failed", Status.FORBIDDEN);
}