Hi, all.
After perusing lots of posts, wikis and docs I'm still stuck with the next problem. I have my EJB3 application deployed to JBoss, security domain and the roles for beans methods all are correctly defined. I have my web application which consists of some AJAX (GWT) code which interacts with my EJB application via transparent servlet calls, i.e. JavaScript make calls to servlets and servlets asks beans for favor. The security domain for web application is configured to be the same as for EJB.
The security domain is configured to have two login modules: ClientLoginModule (first in order, required) and DatabaseServerLoginModule (second in order, required) which has it's queries defined.
As recommended in one of server topics, I have a filter which does programmatic login. It seeks if the servlet session contains login and... :(((... password, and if yes initializes LoginContext, providing callback handler with corresponding information, and calls login() method. In case when session doesn't contain that information, it does nothing and the call continues.
Also I have special servlet method which performs log in for the username and password provided. In success case it puts login and... :(((... password into the session for the filter to use.
All that stuff works. But I don't want to store anything in my servlet session. I'd rather want to be authenticated only once, to get user roles defined only once and to be correctly authorized each time I make a call to secured bean method afterwards.
And I've absolutely stuck with that task. Could anyone help with explanation - I'm absolutely sure that this task is very common one?

Thanks in advance.