I have JAAS setup on JBoss 4.2.3 using FormAuthenticator, our custom LoginModule that implements AbstractServerLoginModule and security-constraint on web.xml. It's all working.
Googled around I found it's possible to login user using Servlet: for example:
LoginContext lc = new LoginContext("client-login", handler);
but this login method doesn't persistent across pages unless I add a filter on protected resource to handle it manually. I don't want to do that.
I guess is once I log user in in servlet, I have to update something (maybe UserPrincipal or LoginContext?) to let JBoss knows that user has been authenticated. So security-constraints are properly applied to the rest of the session. Is this correct? What do I have to do?