The security domain is configured to have two login modules: ClientLoginModule (first in order, required) and DatabaseServerLoginModule (second in order, required) which has it's queries defined.
As recommended in one of server topics, I have a filter which does programmatic login. It seeks if the servlet session contains login and... :(((... password, and if yes initializes LoginContext, providing callback handler with corresponding information, and calls login() method. In case when session doesn't contain that information, it does nothing and the call continues.
Also I have special servlet method which performs log in for the username and password provided. In success case it puts login and... :(((... password into the session for the filter to use.
All that stuff works. But I don't want to store anything in my servlet session. I'd rather want to be authenticated only once, to get user roles defined only once and to be correctly authorized each time I make a call to secured bean method afterwards.
And I've absolutely stuck with that task. Could anyone help with explanation - I'm absolutely sure that this task is very common one?
Thanks in advance.