I reply myself for the benefit of the comunity:
A workarround that I found is to use two applications:
You have to use two applications in the same security realm.
In one you put FORM autentification and in the other you put CERT-CLIENT authentication.
One application is the one you have developed and the other simply has a index.jsp that redirect to the other. That jsp has to be protected. This way when you try to access the jsp, authentification is done and credentials are put in the session and how the two apps share the same security realm you are logged in the other application.
I've tried to implement this, but have run into trouble. Can anyone answer some basic questions about what the previous poster did that worked? I have an existing application that uses FORM authentication, and we're planning on adding the ability for some users to log in with PKI certificates.
My (existing) application users FORM as its auth-type. I've created a new WAR who's sole content is a Servlet that redirects to the my main application. This WAR uses the same security-domain (configured in the new jboss-web.xml file). In my new web.xml file, I apply the same security-constraints and security-role, but have a different auth-method (CLIENT-CERT). I also added a new login-module to the security domain, so that I have a chain of 2 login modules in a shared application-policy - one that will authenticate a user with a valid certificate, and one that will validate a user with a username /password.
The two parts of my app (the old application, and the new Servlet) both successfully use the main appication-policy, and the both are hitting the LoginModules in the debugger. But when the CLIENT-CERT authorized Servlet forwards a user to the FORM authorized main page, the user is prompted to relogin.
Does anybody have any advice on what I might be doing wrong? I can post code / xml samples if it would help.