I'm implementing simple custom SSO, and am struggling to find the correct place to perform an implicit login when the user first hits the application.

I had thought that a filter would be the natural place for this, and have a SsoFilter created and registered with SeamFilter. This works as I expected it to, BUT the call to identity.login() fails because there's no application scope active - the filter executes before the lifecycle sets up the context for the request (I think).

Here's what I see:

java.lang.IllegalStateException: No active application scope
 at org.jboss.seam.security.Configuration.instance(Configuration.java:71)
 at org.jboss.seam.security.Identity.getLoginContext(Identity.java:412)
 at org.jboss.seam.security.Identity.authenticate(Identity.java:324)
 at org.jboss.seam.security.Identity.login(Identity.java:237)
 at weblock.servlet.SsoFilter.doFilter(SsoFilter.java:78)
 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)

Here's what I'm basically doing in my filter:

// taken from AuthenticationFilter from seam source.
 Identity identity = (Identity) request.getSession().getAttribute( Seam.getComponentName(Identity.class) );

 identity.setUsername(value-gotten-from-sso-token);
 // for our requirements we don't actually need password, and
 // authenticate is written accordingly

 // this is what blows up!
 String loginResult = identity.login();

Argh! Is a filter the wrong place to do this sort of thing in Seam? We're developing against jboss, deploying into weblogic, so container integration isn't an option. The JSF lifecycle hooks seam uses via SeamListener look promising (session binding) but it doesn't look intended to be extensible, and I don't think the contexts are initialized there either. We don't want any sort of login page - this behaviour should all be transparent to the users.

Am I missing something obvious?

Any help would be greatly appreciated.