Version 1



    I have the following Rest service which bypasses the form login and instead authenticates via the Rest service. This is working fine EXCEPT......I need to call the rest URL twice before I am forwarded to the home.xhtml page. The first time I get the login screen.


    Now, what I don't understand (and can't get to work) is that I am presented with the login screen ALTHOUGH there is a session AND the JAAS login worked already during the first call. Why does the Server not recognize there is already an authenticated session in the browser.


    How can this be fixed ? Or is there another mechanism I need to implement ? Maybe I am missing some fundamental understanding here ?




        public void login(@PathParam(value = "username") String username,

                @PathParam(value = "password") String password,

                @Context HttpServletRequest request,

                @Context HttpServletResponse response) throws NamingException,

                ServletException {


            try {

                request.login(username, password);

            } catch (ServletException e) {

                throw new WebApplicationException(Response.Status.BAD_REQUEST);



            // all is well

            String passwordhash = Util.createPasswordHash("MD5",

                    Util.BASE64_ENCODING, null, null, password);


            userService = (UserService) new InitialContext()



            User user = userService.getUserByUsernameAndPassword(username,



            if (user == null) {

                throw new WebApplicationException(Response.Status.BAD_REQUEST);



            try {

                URI uri = new URI("../user/home.xhtml");


                // Response.


                // return Response.temporaryRedirect(uri).build();

            } catch (URISyntaxException e) {

                // TODO Auto-generated catch block

                throw new WebApplicationException(Response.Status.NOT_ACCEPTABLE);



            String baseUrl = getBaseUrl(request);


            try {

                response.sendRedirect(baseUrl + "/user/home.xhtml");


            } catch (IOException e) {

                // TODO Auto-generated catch block







    I tried both Response.temporaryRedirect and the response.sendRedirect. Both have the same effect.


    Do I need to implement a filter or something?


    Thanks for your help!