I have a web app that authenticates users using servlet filter. This filter delegates authentication to another server. Once the delegate server authenticates a user successfully, the user is forwarded back to the original web app. This web app then presents information gathered from session beans. These session beans use container-managed security. Thus, the beans expect a valid and logged-in user.

I have a limitation that I can't use container-managed security on the web server side. I have to rely on filter to do authentication.

My question is, how do I login the user before calling methods in the session beans?