I have a web application with configured security domain and I'd like to provide Single Sign-On functionality via e.g. an exposed servlet filter. Filter gets invoked with a token as an url query param, uses it to identify/authorize the user via some external service, does the programmatic login and finally ends up with httpServletRequest.redirect(<one-url-for-success-another-for-failed-login>).

An obvious way for archieving this programmatic login would be httpServletRequest.login(<username>, <password>). However, as always, devil is in the detail. This programmatic login should utilize another security domain, not the one configured with the web application.

I've tried creating new LoginContext:

LoginContext loginContext = new LoginContext(<custom security domain>, new UsernameGroupHandler(<username>, <group>));

loginContext.login();

but I don't have a way - or at least I'm not aware of any - to put the newly created loginContext.getSubject() into session or wherever it needs to go in order to be applied on subsequent requests.

So, is there any way to do web programmatic login using custom security domain?