to be more easy to someone to give some hints below I am posting some configuration file and code. I am using MySql for the user and roles and when I am logging manually
using LogingContext.login() it works. But when the form authentication is triggered and the logij.jsp is displayed I am authenticating but Iget 403 error. I want to use this facility in order to have the single signeon feature. Is it possible to have single signeon facility if you authenticate using:
---------------------------------------------
SecurityAssociationHandler handler = new SecurityAssociationHandler();
SimplePrincipal user = new SimplePrincipal(_uname);
handler.setSecurityInfo(user, _upass.toCharArray());
LoginContext loginContext = new LoginContext("myPolicy",(CallbackHandler)handler);
loginContext.login();
Subject subject = loginContext.getSubject();
Set principals = subject.getPrincipals();
principals.add(user);
---------------------------------------------
i.e: the user not to have again to login?
Can be happen some how to simulate this, or to call a method?

web.xml
---------------------------------------
<web-app>
debug web.xml
<context-param>
<param-name>javax.faces.CONFIG_FILES</param-name>
<param-value>
/WEB-INF/faces-config.xml
</param-value>

Comma separated list of URIs of (additional) faces config files.
(e.g. /WEB-INF/my-config.xml)
See JSF 1.0 PRD2, 10.3.2

</context-param>

<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>

State saving method: "client" or "server" (= default)
See JSF Specification 2.5.2

</context-param>

<context-param>
<param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
<param-value>true</param-value>

This parameter tells MyFaces if javascript code should be allowed in the
rendered HTML output.
If javascript is allowed, command_link anchors will have javascript code
that submits the corresponding form.
If javascript is not allowed, the state saving info and nested parameters
will be added as url parameters.
Default: "true"

</context-param>

<context-param>
<param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
<param-value>false</param-value>
</context-param>

<context-param>
<param-name>org.apache.myfaces.CHECK_EXTENSIONS_FILTER</param-name>
<param-value>true</param-value>
</context-param>

<context-param>
<param-name>com.sun.faces.serializationProvider</param-name>
<param-value>org.jboss.web.jsf.integration.serialization.JBossSerializationProvider</param-value>
</context-param>


<context-param>
<param-name>org.apache.myfaces.ADD_RESOURCE_CLASS</param-name>
<param-value>org.apache.myfaces.renderkit.html.util.DefaultAddResource</param-value>
</context-param>

<context-param>
<param-name>org.apache.myfaces.PRETTY_HTML</param-name>
<param-value>true</param-value>

If true, rendered HTML code will be formatted, so that it is "human readable".
i.e. additional line separators and whitespace will be written, that do not
influence the HTML code.
Default: "true"

</context-param>

<context-param>
<param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
<param-value>true</param-value>

If true, a javascript function will be rendered that is able to restore the
former vertical scroll on every request. Convenient feature if you have pages
with long lists and you do not want the browser page to always jump to the top
if you trigger a link or button action that stays on the same page.
Default: "false"

</context-param>
<context-param>
<param-name>org.apache.myfaces.secret</param-name>
<param-value>MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.algorithm</param-name>
<param-value>AES</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.algorithm.parameters</param-name>
<param-value>CBC/PKCS5Padding</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.algorithm.iv</param-name>
<param-value>NzY1NDMyMTA3NjU0MzIxMA==</param-value>
</context-param>


<!-- Tiles ViewHandler config file -->

<context-param>
<param-name>tiles-definitions</param-name>
<param-value>/WEB-INF/tiles.xml</param-value>

Tiles configuration
definition files and a listener need to be defined.
the listener will initialize JspTilesViewHandlerImpl with tiles definitions.

</context-param>

<!-- Extensions Filter -->

<filter-name>extensionsFilter</filter-name>
<filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>

<init-param>
<param-name>maxFileSize</param-name>
<param-value>100m</param-value>
Set the size limit for uploaded files.
Format: 10 - 10 bytes
10k - 10 KB
10m - 10 MB
1g - 1 GB

</init-param>
<init-param>
<param-name>uploadMaxFileSize</param-name>
<param-value>100m</param-value>
Set the size limit for uploaded files.
Format: 10 - 10 bytes
10k - 10 KB
10m - 10 MB
1g - 1 GB

</init-param>
<init-param>
<param-name>uploadThresholdSize</param-name>
<param-value>100m</param-value>
Set the threshold size - files
below this limit are stored in memory, files above
this limit are stored on disk.

Format: 10 - 10 bytes
10k - 10 KB
10m - 10 MB
1g - 1 GB

</init-param>
<!-- <init-param>
<param-name>uploadRepositoryPath</param-name>
<param-value>/temp</param-value>
Set the path where the intermediary files will be stored.

</init-param>-->



<filter-name>PostLoginFilter</filter-name>
<filter-class>com.sms.PostLoginFilter</filter-class>


<filter-mapping>
<filter-name>PostLoginFilter</filter-name>
<url-pattern>/j_security_check</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>PostLoginFilter</filter-name>
<url-pattern>/user/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>PostLoginFilter</filter-name>
<url-pattern>/faces/user/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>PostLoginFilter</filter-name>
<url-pattern>/company/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>PostLoginFilter</filter-name>
<url-pattern>/faces/company/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>PostLoginFilter</filter-name>

<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<filter-mapping>
<filter-name>extensionsFilter</filter-name>

<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>


<filter-mapping>
<filter-name>extensionsFilter</filter-name>
<url-pattern>*.jsf</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>extensionsFilter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>extensionsFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>extensionsFilter</filter-name>
<url-pattern>/faces/myFacesExtensionResource/*</url-pattern>
</filter-mapping>


<!-- Faces Servlet -->

<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<security-role-ref>
<role-name>user</role-name>
<role-link>userrole</role-link>
</security-role-ref>
<security-role-ref>
<role-name>company</role-name>
<role-link>companyrole</role-link>
</security-role-ref>



<!-- Faces Servlet Mapping -->

<!-- virtual path mapping -->

<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>

<!-- extension mapping -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>

<mime-mapping>
html
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
txt
<mime-type>text/plain</mime-type>
</mime-mapping>
<!-- Welcome files -->


<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>



<error-page>
<error-code>404</error-code>
/error404.jsp
</error-page>

<error-page>
<error-code>403</error-code>
/error403.jsp
</error-page>

<error-page>
<error-code>503</error-code>
/error503.jsp
</error-page>

<error-page>
<error-code>500</error-code>
/error500.jsp
</error-page>

<error-page>
<error-code>401</error-code>
/error401.jsp
</error-page>



<security-constraint>
<display-name>Restrict access to login JSP pages</display-name>
<web-resource-collection>
<web-resource-name>Restrict access to login JSP pages</web-resource-name>
<url-pattern>/faces/login.jsp</url-pattern>
<url-pattern>/login.jsp</url-pattern>
<url-pattern>/faces/login.jsf</url-pattern>
<url-pattern>/login.jsf</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-constraint>
<display-name>Restrict access to registration JSP pages</display-name>
<web-resource-collection>
<web-resource-name>Restrict access to registration JSP pages</web-resource-name>
<url-pattern>/faces/regCompany.jsp</url-pattern>
<url-pattern>/regCompany.jsp</url-pattern>
<url-pattern>/faces/regCompany.jsf</url-pattern>
<url-pattern>/regCompany.jsf</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-constraint>
<display-name>Restrict access to registration user JSP pages</display-name>
<web-resource-collection>
<web-resource-name>Restrict access to registration JSP pages</web-resource-name>
<url-pattern>/faces/regUser.jsp</url-pattern>
<url-pattern>/regUser.jsp</url-pattern>
<url-pattern>/faces/regUser.jsp</url-pattern>
<url-pattern>/regUser.jsp</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>


<security-constraint>
<display-name>Restrict access to login PROTj JSP pages</display-name>
<web-resource-collection>
<web-resource-name>Restrict access to login PROTj JSP pages</web-resource-name>
<url-pattern>/faces/loginj.jsp</url-pattern>
<url-pattern>/loginj.jsp</url-pattern>
<url-pattern>/faces/loginj.jsf</url-pattern>
<url-pattern>/loginj.jsf</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-constraint>
<display-name>Restrict access to USER JSP pages</display-name>
<web-resource-collection>
<web-resource-name>Restrict access to COMPANY JSP pages</web-resource-name>
<url-pattern>/user/*</url-pattern>
<url-pattern>/faces/user/*</url-pattern>
</web-resource-collection>

<auth-constraint>
With no roles defined, no access granted
<role-name>userrole</role-name>
<role-name>companyrole</role-name>
</auth-constraint>

<user-data-constraint>
<transport-guarantee> CONFIDENTIAL </transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-constraint>
<display-name>Restrict access to COMPANY JSP pages</display-name>
<web-resource-collection>
<web-resource-name>Restrict access to COMPANY JSP pages</web-resource-name>
<url-pattern>/company/*</url-pattern>
<url-pattern>/faces/company/*</url-pattern>
</web-resource-collection>

<auth-constraint>
With no roles defined, no access granted
<role-name>companyrole</role-name>
</auth-constraint>

<user-data-constraint>
<transport-guarantee> CONFIDENTIAL </transport-guarantee>
</user-data-constraint>
</security-constraint>


<login-config>

<auth-method> FORM </auth-method>
<realm-name>myPolicy</realm-name>
<form-login-config>

<form-login-page>/loginj.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>

</form-login-config>

</login-config>

<security-role>
<role-name> userrole </role-name>
</security-role>

<security-role>
<role-name> companyrole </role-name>
</security-role>


</web-app>
----------------------------------------------------------------


jboss-web.xml
------------------------------------------------------------
<?xml version="1.0"?>

<jboss-web>
<security-domain>java:/jaas/myPolicy</security-domain>
</jboss-web>

-----------------------------------------------------------


Client auth.conf
----------------------------------------
client-login
{
org.jboss.security.ClientLoginModule required;
};

myPolicy
{
org.jboss.security.ClientLoginModule required;
org.jboss.security.auth.spi.DatabaseServerLoginModule required;
};


Server auth.conf in ../conf
------------------------------------------------
client-login
{
org.jboss.security.ClientLoginModule required;
};

myPolicy
{
org.jboss.security.ClientLoginModule required;
org.jboss.security.auth.spi.DatabaseServerLoginModule required
dsJndiName="java:/MySqlDS"
principalsQuery="SELECT PASSWD FROM PUBLIC.PRINCIPALS WHERE USERID=?"
rolesQuery="SELECT ROLEID 'Roles', ROLEGROUP 'RoleGroups' FROM PUBLIC.ROLES WHERE USERID=?"
;
};


jboss-service.xml
----------------------------------------------


<!-- Load all jars from the JBOSS_DIST/server//lib directory. This
can be restricted to specific jars by specifying them in the archives
attribute.
-->

<!-- The SSL domain setup -->




file:${jboss.server.home.dir}/conf/sec.keystore
rmi+ssl

<!-- A Thread pool service -->

JBoss System Threads
System Threads
<!-- How long a thread will live without any tasks in MS -->
60000
<!-- The max number of threads in the pool -->
10
<!-- The max number of tasks before the queue is full -->
1000
<!-- The behavior of the pool when a task is added and the queue is full.
abort - a RuntimeException is thrown
run - the calling thread executes the task
wait - the calling thread blocks until the queue has room
discard - the task is silently discarded without being run
discardOldest - check to see if a task is about to complete and enque
the new task if possible, else run the task in the calling thread
-->
run


<!-- ==================================================================== -->
<!-- Log4j Initialization -->
<!-- ==================================================================== -->

<mbean code="org.jboss.logging.Log4jService"
name="jboss.system:type=Log4jService,service=Logging"
xmbean-dd="resource:xmdesc/Log4jService-xmbean.xml">
resource:log4j.xml
<!-- Set the org.apache.log4j.helpers.LogLog.setQuiteMode. As of log4j1.2.8
this needs to be set to avoid a possible deadlock on exception at the
appender level. See bug#696819.
-->
true
<!-- How frequently in seconds the ConfigurationURL is checked for changes -->
60





<depends optional-attribute-name="Deployer">jboss.system:service=MainDeployer


org.jboss.deployment.DeploymentSorter
<!--


<!-- Files starting with theses strings are ignored -->
#,%,\,,.,_$
<!-- Files ending with theses strings are ignored -->
#,$,%,~,\,v,.BAK,.bak,.old,.orig,.tmp,.rej,.sh
<!-- Files matching with theses strings are ignored -->
.make.state,.nse_depinfo,CVS,CVS.admin,RCS,RCSLOG,SCCS,TAGS,core,tags


<!-- Frequency in milliseconds to rescan the URLs for changes -->
5000
<!-- A flag to disable the scans -->
true


deploy/


True






jndi.properties
----------------------------------------------------------------------------------------------
java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces

# Do NOT uncomment this line as it causes in VM calls to go over
# RMI!
java.naming.provider.url=localhost:1099


login-config.xml
----------------------------------------------------------------


<application-policy name="myPolicy">

<login-module code="org.jboss.security.ClientLoginModule" flag="required">
</login-module>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="managedConnectionFactoryName">
jboss.jca:service=LocalTxCM,name=MySqlDS
</module-option>
<module-option name="dsJndiName">
java:/MySqlDS
</module-option>
<module-option name="principalsQuery">
SELECT PASSWD FROM PUBLIC.PRINCIPALS WHERE USERID=?
</module-option>
<module-option name="rolesQuery">
SELECT ROLEID 'Roles', ROLEGROUP 'RoleGroups' FROM PUBLIC.ROLES WHERE USERID=?
</module-option>
</login-module>

</application-policy>

<application-policy name = "client-login">

<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
<!-- Any existing security context will be restored on logout -->
<module-option name="restore-login-identity">true</module-option>
</login-module>

</application-policy>

<!-- Security domain for JBossMQ -->
<application-policy name = "jbossmq">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/DefaultDS</module-option>
<module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
<module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
</login-module>

</application-policy>

<!-- Security domains for testing new jca framework -->
<application-policy name = "HsqlDbRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">sa</module-option>
<module-option name = "userName">sa</module-option>
<module-option name = "password"></module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
</login-module>

</application-policy>

<application-policy name = "MySqlDbRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
<module-option name ="principal">smsuser</module-option>
<module-option name ="userName">smsuser</module-option>
<module-option name ="password">smsuser</module-option>
<module-option name ="managedConnectionFactoryName">
jboss.jca:service=LocalTxCM,name=MySqlDS
</module-option>
</login-module>

</application-policy>

<application-policy name = "JmsXARealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag = "required">
<module-option name = "principal">guest</module-option>
<module-option name = "userName">guest</module-option>
<module-option name = "password">guest</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
</login-module>

</application-policy>

<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "jmx-console">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">props/jmx-console-users.properties</module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>

</application-policy>

<!-- A template configuration for the web-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name = "$webConsoleDomain">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">web-console-users.properties</module-option>
<module-option name="rolesProperties">web-console-roles.properties</module-option>
</login-module>

</application-policy>

<!-- A template configuration for the JBossWS web application (and transport layer!).
This defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name="JBossWS">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="usersProperties">props/jbossws-users.properties</module-option>
<module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
<module-option name="unauthenticatedIdentity">anonymous</module-option>
</login-module>

</application-policy>

<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name = "other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->

<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />

</application-policy>




mysql-ds.xml
----------------------------------------------------------

<local-tx-datasource>
<jndi-name>MySqlDS</jndi-name>
<connection-url>jdbc:mysql://localhost:3306/PUBLIC</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<user-name>smsuser</user-name>
smsuser
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter</exception-sorter-class-name>
<!-- should only be used on drivers after 3.22.1 with "ping" support
<valid-connection-checker-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLValidConnectionChecker</valid-connection-checker-class-name>
-->
<!-- sql to call when connection is created
<new-connection-sql>some arbitrary sql</new-connection-sql>
-->
<!-- sql to call on an existing pooled connection when it is obtained from pool - MySQLValidConnectionChecker is preferred for newer drivers
<check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>
-->
<security-domain>MySqlDbRealm</security-domain>
<!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->

<type-mapping>mySQL</type-mapping>

</local-tx-datasource>



server.xml
-------------------------------------------------------------------




<!-- A HTTP/1.1 Connector on port 8080 -->



<!-- A AJP 1.3 Connector on port 8009 -->


<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->





<!-- The JAAS based authentication and authorization realm implementation
that is compatible with the jboss 3.2.x realm implementation.
- certificatePrincipal : the class name of the
org.jboss.security.auth.certs.CertificatePrincipal impl
used for mapping X509[] cert chains to a Princpal.
- allRolesMode : how to handle an auth-constraint with a role-name=*,
one of strict, authOnly, strictAuthOnly
+ strict = Use the strict servlet spec interpretation which requires
that the user have one of the web-app/security-role/role-name
+ authOnly = Allow any authenticated user
+ strictAuthOnly = Allow any authenticated user only if there are no
web-app/security-roles


-->
<!-- A subclass of JBossSecurityMgrRealm that uses the authentication
behavior of JBossSecurityMgrRealm, but overrides the authorization
checks to use JACC permissions with the current java.security.Policy
to determine authorized access.
- allRolesMode : how to handle an auth-constraint with a role-name=*,
one of strict, authOnly, strictAuthOnly
+ strict = Use the strict servlet spec interpretation which requires
that the user have one of the web-app/security-role/role-name
+ authOnly = Allow any authenticated user
+ strictAuthOnly = Allow any authenticated user only if there are no
web-app/security-roles
-->







<!-- -->





<!-- Uncomment to check for unclosed connections and transaction terminated checks
in servlets/jsps.
Important: You need to uncomment the dependency on the CachedConnectionManager
in META-INF/jboss-service.xml
-->












loginj.jsp :FORM AUTHENTICATION
----------------------------------------------------------------
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<%

response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server
%>
Login


<form method="POST" action="<%= response.encodeURL("j_security_check") %>" >


Username:



Password:












PostLoginFilter.java
-------------------------------------
package com.sms;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;


public class PostLoginFilter implements Filter {
private FilterConfig config = null;

public void init(FilterConfig config) throws ServletException {
this.config = config;
}

public void destroy() {
config = null;
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain
filterChain) throws IOException, ServletException {

System.out.println("Before j_security_check");
filterChain.doFilter(servletRequest, servletResponse);
System.out.println("After j_security_check");

}

}

What Is missing?
Please Help