You can do it this way (but only from a servlet)
I'm not sure how well this would work if there is no redirect URL stored on the session - but that might be something you could fake.
That's not particularly practical since, as you point out, it'll probably be a direct reference to the login action.
I've tried using this (refers to my application policy called "Users" using a custom LoginModule):
new LoginContext("Users", new UsernamePasswordHandler(username, password.toCharArray()).login();
It seems to work (ie, doesn't throw a LoginException) but subsequent HttpServletRequests still have a null user Principal. Presumably access to secured EJBs will work, though.
Can someone tell me how to set the Principal that the Servlet container (in this case Catalina) associates with a particular session?
Many thanks in advance.
It definitely works, but I use two redirects - one within the "login" page to a protected resource for post-login processing etc, and one sneakily inside the login page. It can be done using POST as well as GET.
http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ way, the container does all the work it's supposed to, and there's little risk of losing portability.