The problem is, you are trying to get around JAAS
I'm pretty sure you have to force the guy to login, and I don't think there is any automatic login available.
Here's what we do, let him create a User ID, and either let him enter a password, or email him one.
Then direct him to a protected page, and he'll be redirected by J2EE to the login page. Once he authenticates there, he'll be passed to the page he wanted.
Thanks for your hint danl, but this is not suitable for my needs. I still beleive it must be a way to tell to sec manager that I want to add my programaticaly authenticated subject to its cache.
Maybe Mr. Scott might have an ideea. Thanks.
Not sure if I am understanding your requirements but...
Maybe using org.jboss.security.SecurityAssociation?
Note this is not portable across JAAS implementations (only works in JBoss at the moment).
Alternatively create a javax.security.auth.login.LoginContext and login().
No, this will not work. You have to convince tomcat that the current session has been authenticated. This would require a custom valve and/or custom tomcat authenticator. Its a deep tomcat specific integration.
I need to do the same thing. Has anything changed since last year in this area? Can someone point me to where I can get more information about how to do this?