Currently i am using tomcat j_security_check using form based login. Tomcat version 5.0.16 with Jboss 3.2.3 is used. While on submit of login page , the process of authentication taken place twice. Is the way of implementation like this or its an issue.
While on traversing the code, i found out the cache variable on AuthenticatorBase class is set to false by the jboss.
Authentication and authorization will happen on every call as security must be handled statelessly to ensure that the correct security context is propagated to the other layers like ejbs as tomcat knows nothing about how to do this.