Looking for an answer... One of the JAAS / JBoss gurus please respond..
Read the JAAS Howto and the part on the ClientLoginModule. Just doing a JAAS login in a servlet does not affect the web container security state. It sounds like your are not using container level declarative security, and so you have to add your own filters to do application level security based on the session Subject.
Thanks for your reply..
After reading your reply and reading some books, I realized that I was trying to mix two things Container managed security and Application Managed security and was getting confused.
I have decided to go with Container managed security using j_security_check and let the container pick up the roles etc from web.xml.
I also thought about going with Applicaiton Managed security which involved writing my own Servlet Filter. While doing that I looked at SecurityFilter (open source), but later decided to go with the container managed security the limited requirements I have..