I solved the problem myself. I used the policy "client-login", and it works. seems ClientLoginModule is the way to propage security context. Hope it could be helpful for people having similar problem.
by the way, this security forum seems to be really inactive.
please read the documentation and previous posts