I have JAAS setup on JBoss 4.2.3 using FormAuthenticator, our custom LoginModule that implements AbstractServerLoginModule and security-constraint on web.xml. It's all working.
But we have to use a HTML form with j_security fields for username and password. At times we want to auto login user, which results in adding javascript to submit the form on page load and populating a hidden password field; and we don't like this method.
Googled around I found it's possible to login user using Servlet: for example:
LoginContext lc = new LoginContext("client-login", handler);
lc.login();
but this login method doesn't persistent across pages unless I add a filter on protected resource to handle it manually. I don't want to do that.
I guess is once I log user in in servlet, I have to update something (maybe UserPrincipal or LoginContext?) to let JBoss knows that user has been authenticated. So security-constraints are properly applied to the rest of the session. Is this correct? What do I have to do?