With J2EE container managed security, the user must trigger the authentication by trying to access a protected area, EJB, webpage, whatever.
There are always 'ways' of doing things like this by proxy from your custom security login, but many are considered dirty hacks and you already say you don't wish to write any more code.
The range of options open to you depends on your application. One thing that occurs to me off the top of my head is the 'anonymous' login that can be done. If you protect everything, then as soon as the user starts using the app, a login will occur and then in your custom login module you can fetch what info you need, if you can identify the user without any login name.
Have fun! ;)
Thanks for the quick response.
I think I get where your comming from but if the container security kicks in before my filter won't that force me to authenticate twice, once for the say the FORM authentication and then again when my fiter does not find a valid sessionid?
Or are you saying it is possible to write a custom login module that will authenticate the user (say like the DatabaseLoginModule) and somehow add the sessionid to the request, then my access control filter won't grumble and I get a security context for my request, if this is option is possible that would be great, but where do I start?