Do the LoginContext creation required by external clients described in the JAAS Howto in the filter when the request comes in, logout when it completes.
Thanks for the reply Scott,
I have tried your suggestion and it works perfectly well for a single webapp, the problem is with my application once the user is authenticated the request is dispatched to another webapp (in the same EAR). Since the dispatched request bypasses my authentication filter the second webapp correctly treats it an unauthenticated request. I could probably get round this by using a 302 redirect but after some time considering the problem I have decided to refactor the old code I am using and merge the multiple webapps into one webapp and use JAAS authentication in the standard way.
I will need the ability to use some sort of single sign on so I have switched off cookies and can now pass around the JSessionid to authenticated thired parties (at least in the web tier).
Is it possible to change way the JSessionId is generated? I would like to encode some useful info into it when it is created.