Is there a way to configure Tomcat 8.5 or 9 to allow the user to log in with either their username or their email address?
I am willing to consider using a 3rd party security container if this solves the problem.
Currently using Tomcat JDBC Realm but only with username. Do not see ways to modify this Realm to allow either username or email address.
Have a look at the Combined Realm which allows several authentication mechanisms. In your case, you probably need 2 DataSourceRealm (rather than 2 JDBC Realms) accessing the same table but with different userNameCol parameters.
It's interesting to note that you can mix an authentication based on a tier (database, LDAP) and an authentication based on a local file (UserDatabaseRealm). Then you can still log in with an administrator user even when your database is down and all of the application seems dead to the other users. If there are things that don't need the database, you still can work.