Well, let's see if I can live with these forums...

I'm working on a web app that makes use of a DatabaseServerLoginModule. That's all working, and life is good enough.

Now I need to allow my end-user to change his/her password while using the application. So I have a form that posts to a servlet. The servlet then uses a bean that models my principal table to update the credentials.

After the password has been modified, I redirect to some other JSP for display, which is also protected by the JAAS framework.

This page is now inaccessible, because the session attributes are apparently out-of-sync with the principal data. This is good, I think.

But how am I going to re-authenticate the user programmatically?

I thought maybe I could use a LoginContext, but no...

And then I thought maybe I could invalidate the HttpSession and post form data to j_security_check, but how would I specify the resource j_security_check should redirect to when it's finished? So, no...

So now the only thing I can think of is to set request attributes in the servlet, forward to my destination resource, check for the existence of those attributes at the login page, and post the form onLoad() if I have some credentials already.

I guess that'll work. I think. Pretty messy though. :o[

Does anyone have a better idea?